← Back

CVE-2025-15559

nvd nist
Published: Feb 19, 2026Modified: Mar 3, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.

Affected (2)

Products: Nestersoft: Worktime
Nestersoft
1 product
Worktime
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Nestersoft
Worktime
Up to 11.8.8
Worktime
Up to 11.8.8

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

Source: 551230f0-3615-47bd-b7cc-93e92e730bbf
Third Party Advisory

Timeline

No history available yet.