CVE-2026-2711 - zhutoutoutousan worldquant-miner URL ssrf_proxy.py server-side request forgery
CVE ID : CVE-2026-2711
Published : Feb. 19, 2026, 7:02 a.m. | 1 hour, 20 minutes ago
Description : A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py of the component URL Handler. The manipulation of the argument make_request leads to server-side request forgery. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2711
Published : Feb. 19, 2026, 7:02 a.m. | 1 hour, 20 minutes ago
Description : A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py of the component URL Handler. The manipulation of the argument make_request leads to server-side request forgery. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2733 - Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol
CVE ID : CVE-2026-2733
Published : Feb. 19, 2026, 7:48 a.m. | 34 minutes ago
Description : A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2733
Published : Feb. 19, 2026, 7:48 a.m. | 34 minutes ago
Description : A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26359 - Dell Unisphere for PowerMax File Path Overwrite Vulnerability
CVE ID : CVE-2026-26359
Published : Feb. 19, 2026, 8:34 a.m. | 3 hours, 49 minutes ago
Description : Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26359
Published : Feb. 19, 2026, 8:34 a.m. | 3 hours, 49 minutes ago
Description : Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2735 - Stored Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms
CVE ID : CVE-2026-2735
Published : Feb. 19, 2026, 8:38 a.m. | 3 hours, 44 minutes ago
Description : Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to ‘/blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt’ using the ‘text’ parameter.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2735
Published : Feb. 19, 2026, 8:38 a.m. | 3 hours, 44 minutes ago
Description : Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to ‘/blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt’ using the ‘text’ parameter.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2736 - Reflected Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms
CVE ID : CVE-2026-2736
Published : Feb. 19, 2026, 8:39 a.m. | 3 hours, 43 minutes ago
Description : Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2736
Published : Feb. 19, 2026, 8:39 a.m. | 3 hours, 43 minutes ago
Description : Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26360 - Dell Unisphere for PowerMax External Control of File Name or Path Vulnerability
CVE ID : CVE-2026-26360
Published : Feb. 19, 2026, 8:41 a.m. | 3 hours, 42 minutes ago
Description : Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability to delete arbitrary files.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26360
Published : Feb. 19, 2026, 8:41 a.m. | 3 hours, 42 minutes ago
Description : Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability to delete arbitrary files.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-40697 - Reflected Cross-Site Scripting (XSS) in Lewe WebMeasure
CVE ID : CVE-2025-40697
Published : Feb. 19, 2026, 8:44 a.m. | 3 hours, 39 minutes ago
Description : Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40697
Published : Feb. 19, 2026, 8:44 a.m. | 3 hours, 39 minutes ago
Description : Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26358 - Dell Unisphere for PowerMax Missing Authorization Vulnerability
CVE ID : CVE-2026-26358
Published : Feb. 19, 2026, 8:47 a.m. | 3 hours, 35 minutes ago
Description : Dell Unisphere for PowerMax, version(s) 10.2, contain(s) a Missing Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26358
Published : Feb. 19, 2026, 8:47 a.m. | 3 hours, 35 minutes ago
Description : Dell Unisphere for PowerMax, version(s) 10.2, contain(s) a Missing Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41023 - Authentication bypass in AutoGPT de Thesamur
CVE ID : CVE-2025-41023
Published : Feb. 19, 2026, 8:50 a.m. | 3 hours, 32 minutes ago
Description : An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms. Once inside the web application, the attacker can use any of its features regardless of the authorisation method used.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41023
Published : Feb. 19, 2026, 8:50 a.m. | 3 hours, 32 minutes ago
Description : An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms. Once inside the web application, the attacker can use any of its features regardless of the authorisation method used.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22269 - Dell PowerProtect Data Manager Improper Verification of Source of a Communication Channel
CVE ID : CVE-2026-22269
Published : Feb. 19, 2026, 9 a.m. | 3 hours, 22 minutes ago
Description : Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22269
Published : Feb. 19, 2026, 9 a.m. | 3 hours, 22 minutes ago
Description : Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22266 - Dell PowerProtect Data Manager REST API Improper Verification of Source of a Communication Channel Vulnerability
CVE ID : CVE-2026-22266
Published : Feb. 19, 2026, 9:06 a.m. | 3 hours, 16 minutes ago
Description : Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22266
Published : Feb. 19, 2026, 9:06 a.m. | 3 hours, 16 minutes ago
Description : Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22268 - Dell PowerProtect Data Manager Privilege Escalation Denial of Service
CVE ID : CVE-2026-22268
Published : Feb. 19, 2026, 9:12 a.m. | 3 hours, 11 minutes ago
Description : Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service of a Dell Enterprise Support connection.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22268
Published : Feb. 19, 2026, 9:12 a.m. | 3 hours, 11 minutes ago
Description : Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service of a Dell Enterprise Support connection.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22267 - Dell PowerProtect Data Manager Privilege Escalation Vulnerability
CVE ID : CVE-2026-22267
Published : Feb. 19, 2026, 9:16 a.m. | 3 hours, 6 minutes ago
Description : Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22267
Published : Feb. 19, 2026, 9:16 a.m. | 3 hours, 6 minutes ago
Description : Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1461 - Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values
CVE ID : CVE-2026-1461
Published : Feb. 19, 2026, 9:26 a.m. | 2 hours, 56 minutes ago
Description : The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1461
Published : Feb. 19, 2026, 9:26 a.m. | 2 hours, 56 minutes ago
Description : The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2716 - Client Testimonial Slider <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Testimonial Heading' Setting
CVE ID : CVE-2026-2716
Published : Feb. 19, 2026, 9:26 a.m. | 2 hours, 56 minutes ago
Description : The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2716
Published : Feb. 19, 2026, 9:26 a.m. | 2 hours, 56 minutes ago
Description : The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2718 - Dealia <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutenberg Block Attributes
CVE ID : CVE-2026-2718
Published : Feb. 19, 2026, 9:26 a.m. | 2 hours, 56 minutes ago
Description : The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.6. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2718
Published : Feb. 19, 2026, 9:26 a.m. | 2 hours, 56 minutes ago
Description : The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.6. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1219 - MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure
CVE ID : CVE-2026-1219
Published : Feb. 19, 2026, 9:26 a.m. | 2 hours, 56 minutes ago
Description : The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1219
Published : Feb. 19, 2026, 9:26 a.m. | 2 hours, 56 minutes ago
Description : The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12107 - Potential authenticated Server-Side Template Injection (SSTI) vulnerability.
CVE ID : CVE-2025-12107
Published : Feb. 19, 2026, 10:04 a.m. | 2 hours, 18 minutes ago
Description : Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12107
Published : Feb. 19, 2026, 10:04 a.m. | 2 hours, 18 minutes ago
Description : Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13590 - Authenticated arbitrary file upload via a System REST API requiring administrator permission.
CVE ID : CVE-2025-13590
Published : Feb. 19, 2026, 10:05 a.m. | 2 hours, 18 minutes ago
Description : A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13590
Published : Feb. 19, 2026, 10:05 a.m. | 2 hours, 18 minutes ago
Description : A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15559 - Unauthenticated OS Command Injection in NesterSoft WorkTime
CVE ID : CVE-2025-15559
Published : Feb. 19, 2026, 10:45 a.m. | 1 hour, 37 minutes ago
Description : An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15559
Published : Feb. 19, 2026, 10:45 a.m. | 1 hour, 37 minutes ago
Description : An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15560 - SQL Injection in NesterSoft WorkTime
CVE ID : CVE-2025-15560
Published : Feb. 19, 2026, 10:48 a.m. | 1 hour, 34 minutes ago
Description : An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15560
Published : Feb. 19, 2026, 10:48 a.m. | 1 hour, 34 minutes ago
Description : An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...