Cyber Resilience

CVE-2026-25947

HighPublic PoC

Published: 10 February 2026

Published
10 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 27.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25947 is a high-severity SQL Injection (CWE-89) vulnerability in Worklenz Worklenz. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25947 is a set of multiple SQL injection vulnerabilities (CWE-89) in the Worklenz project management tool, affecting versions prior to 2.1.7. These flaws stem from improper backend SQL query construction and impact several components, including project and task management controllers, reporting and financial data endpoints, real-time socket.io handlers, and resource allocation and scheduling features. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant data compromise.

An attacker with low-privilege authenticated access (PR:L), such as a standard project user, can exploit these SQL injections over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation enables arbitrary SQL query execution, granting high-impact confidentiality (C:H), integrity (I:H), and availability (A:H) violations, such as extracting sensitive project data, modifying tasks or financial records, deleting resources, or disrupting real-time features.

Mitigation is available via the patch in Worklenz version v2.1.7, as detailed in the project's GitHub security advisory (GHSA-f2f8-2ppj-85pf), release notes (https://github.com/Worklenz/worklenz/releases/tag/v2.1.7), and the fixing commit (https://github.com/Worklenz/worklenz/commit/76e5cb0f5dd566fb65586cd3db30ee951c92a32b). Security practitioners should urge immediate upgrades for affected deployments and review access controls to limit low-privilege user exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Worklenz is a project management tool. Prior to 2.1.7, there are multiple SQL injection vulnerabilities were discovered in backend SQL query construction affecting project and task management controllers, reporting and financial data endpoints, real-time socket.io handlers, and resource allocation and…

more

scheduling features. The vulnerability has been patched in version v2.1.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in network-accessible web app (Worklenz) directly enables exploitation of public-facing applications for arbitrary query execution and data impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

worklenz
worklenz
≤ 2.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly and comprehensively prevents SQL injection by enforcing input validation mechanisms at all affected backend endpoints, controllers, and handlers to block malicious query construction.

prevent

Addresses this specific CVE by requiring timely flaw remediation through patching to version 2.1.7, which fixes the improper SQL query construction in multiple components.

detect

Identifies SQL injection vulnerabilities like those in project management controllers and financial endpoints via regular automated vulnerability scanning.

References