CVE-2025-59920

Vulnerability Description

When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database.

Vulnerability Details

Published Date

February 18, 2026

Last Modified

February 18, 2026

CWE ID

CWE-89

Source

NVD

Vendor

systems at work

Product

time at work

External References

https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-timework-systemswork

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment