CVE-2026-25947
Multiple SQL Injection Vulnerabilities in Worklenz Project Management Tool
Publication date: 2026-02-10
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| worklenz | worklenz | to 2.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25947 is a set of multiple critical SQL injection vulnerabilities found in the backend of the Worklenz project management tool prior to version 2.1.7.
These vulnerabilities arise from unsafe construction of SQL queries using direct string interpolation and improper input validation in various components such as project and task management controllers, reporting and financial data endpoints, real-time socket.io handlers, and resource allocation and scheduling features.
Attackers with low privileges and no user interaction can exploit these flaws to inject malicious SQL code, potentially manipulating or extracting sensitive data.
The vulnerabilities were fixed in version 2.1.7 by introducing a new SqlHelper utility for secure parameterized queries, refactoring affected code to avoid unsafe string interpolation, and implementing strict input validation.
How can this vulnerability impact me? :
Exploitation of these SQL injection vulnerabilities can have severe impacts including unauthorized access to sensitive information such as user credentials, authentication tokens, personally identifiable information (PII), financial data, and internal application data.
Attackers can manipulate or delete database records, escalate privileges by altering user roles and permissions, and conduct mass deletion attacks that could compromise the entire database.
Such impacts may lead to financial fraud, loss of data integrity and availability, and significant business disruption.
There are no effective workarounds; users must upgrade to version 2.1.7 or later to mitigate these risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided in the available information for CVE-2026-25947.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-25947, users should immediately upgrade the Worklenz project management tool to version 2.1.7 or later, where the SQL injection vulnerabilities have been fixed.
- Upgrade to Worklenz version 2.1.7 which includes a security release addressing multiple critical SQL injection vulnerabilities.
- Ensure that the backend code uses parameterized SQL queries instead of unsafe string interpolation.
- Apply comprehensive input validation including UUID format validation, color code whitelisting, and sort field whitelisting as implemented in the patch.
- Remove or avoid unsafe coding patterns such as the use of the flatString() helper and direct string interpolation in SQL query construction.
- If immediate upgrade is not possible, restrict API access to trusted authenticated users, monitor logs for suspicious queries or errors, and consider disabling affected features temporarily, although these are not full mitigations.