Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
WorkTime Server 'widget' API Allows Unauthorized Data Access
CVE-2025-15560
Summary
A vulnerability in the WorkTime server's 'widget' API allows an authenticated user with limited permissions to access sensitive data. If the Firebird database is used, attackers can see all data. If the MSSQL database is used, attackers can even control the database itself. Update the WorkTime server to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| nestersoft | worktime | <= 11.8.8 | – |
| nestersoft | worktime | <= 11.8.8 | – |
Original title
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are abl...
Original description
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
nvd CVSS3.1
8.8
Vulnerability type
CWE-89
SQL Injection
- https://r.sec-consult.com/worktime Third Party Advisory
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026