CVE-2026-25947
Undergoing Analysis Undergoing Analysis - In Progress
Multiple SQL Injection Vulnerabilities in Worklenz Project Management Tool

Publication date: 2026-02-10

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
Worklenz is a project management tool. Prior to 2.1.7, there are multiple SQL injection vulnerabilities were discovered in backend SQL query construction affecting project and task management controllers, reporting and financial data endpoints, real-time socket.io handlers, and resource allocation and scheduling features. The vulnerability has been patched in version v2.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25947
EUVD
EUVD-2026-6752
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
worklenz worklenz to 2.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25947 is a set of multiple critical SQL injection vulnerabilities found in the backend of the Worklenz project management tool prior to version 2.1.7.

These vulnerabilities arise from unsafe construction of SQL queries using direct string interpolation and improper input validation in various components such as project and task management controllers, reporting and financial data endpoints, real-time socket.io handlers, and resource allocation and scheduling features.

Attackers with low privileges and no user interaction can exploit these flaws to inject malicious SQL code, potentially manipulating or extracting sensitive data.

The vulnerabilities were fixed in version 2.1.7 by introducing a new SqlHelper utility for secure parameterized queries, refactoring affected code to avoid unsafe string interpolation, and implementing strict input validation.

Impact Analysis

Exploitation of these SQL injection vulnerabilities can have severe impacts including unauthorized access to sensitive information such as user credentials, authentication tokens, personally identifiable information (PII), financial data, and internal application data.

Attackers can manipulate or delete database records, escalate privileges by altering user roles and permissions, and conduct mass deletion attacks that could compromise the entire database.

Such impacts may lead to financial fraud, loss of data integrity and availability, and significant business disruption.

There are no effective workarounds; users must upgrade to version 2.1.7 or later to mitigate these risks.

Compliance Impact

I don't know

Detection Guidance

There are no specific detection commands or network/system detection methods provided in the available information for CVE-2026-25947.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-25947, users should immediately upgrade the Worklenz project management tool to version 2.1.7 or later, where the SQL injection vulnerabilities have been fixed.

  • Upgrade to Worklenz version 2.1.7 which includes a security release addressing multiple critical SQL injection vulnerabilities.
  • Ensure that the backend code uses parameterized SQL queries instead of unsafe string interpolation.
  • Apply comprehensive input validation including UUID format validation, color code whitelisting, and sort field whitelisting as implemented in the patch.
  • Remove or avoid unsafe coding patterns such as the use of the flatString() helper and direct string interpolation in SQL query construction.
  • If immediate upgrade is not possible, restrict API access to trusted authenticated users, monitor logs for suspicious queries or errors, and consider disabling affected features temporarily, although these are not full mitigations.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart