HIGHCVE-2026-25947Published 2026-02-10Modified 2026-02-10CNA GitHub_M

CVE-2026-25947: Worklenz Boolean-Based Blind SQL Injection via Improper ORDER BY Clause Input Validation

Worklenz is a project management tool. Prior to 2.1.7, there are multiple SQL injection vulnerabilities were discovered in backend SQL query construction affecting project and task management controllers, reporting and financial data endpoints, real-time socket.io handlers, and resource allocation and scheduling features. The vulnerability has been patched in version v2.1.7.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Worklenz / worklenz
< 2.1.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/Worklenz/worklenz/security/advisories/GHSA-f2f8-2ppj-85pf
https://github.com/Worklenz/worklenz/commit/76e5cb0f5dd566fb65586cd3db30ee951c92a32b
https://github.com/Worklenz/worklenz/releases/tag/v2.1.7

Metrics