CVE-2025-67102
Published: 17 February 2026
Summary
CVE-2025-67102 is a high-severity SQL Injection (CWE-89) vulnerability in Jorani Jorani. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-67102 is a SQL injection vulnerability (CWE-89) in the alldayoffs feature of Jorani up to version 1.0.4. This flaw allows an authenticated attacker to execute arbitrary SQL commands by manipulating the entity parameter. The vulnerability carries a CVSS v3.1 base score of 7.6, reflecting network accessibility (AV:N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and low availability impact (A:L).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network without requiring user interaction. By injecting malicious SQL via the entity parameter in the alldayoffs feature, the attacker can execute arbitrary SQL commands, potentially extracting sensitive data from the database due to the high confidentiality impact, with limited abilities to modify data or disrupt service availability.
For mitigation guidance, security practitioners should consult the advisories and resources at https://www.helx.io/blog/advisory-jorani/ and the Jorani GitHub repository at https://github.com/bbalet/jorani, published on 2026-02-17.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207708
Vulnerability details
A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web application directly enables remote exploitation of public-facing app (T1190) and unauthorized database data access (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating untrusted inputs like the entity parameter before processing in the alldayoffs feature.
Remediates the specific SQL injection flaw in Jorani up to v1.0.4 by applying vendor patches or updates.
Restricts the format and content of the entity parameter to block malicious SQL payloads as a complementary input control.