Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Adobe ColdFusion: Malicious URLs Can Execute JavaScript in Browser
CVE-2025-15562
Summary
Adobe ColdFusion's /report/internet/urls endpoint fails to protect against malicious URLs, allowing attackers to inject JavaScript code that can execute in a user's browser. This could lead to unauthorized actions or data theft. Update ColdFusion to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| nestersoft | worktime | <= 11.8.8 | – |
| nestersoft | worktime | <= 11.8.8 | – |
Original title
The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in...
Original description
The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://r.sec-consult.com/worktime Third Party Advisory
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026