CVE-2025-15562

MEDIUM

6.1

Description

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.

CVE Details

CVSS v3.1 Score6.1

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionREQUIRED

Published2/19/2026

Last Modified2/26/2026

Sourcenvd

Honeypot Sightings0

Affected Products

nestersoft:worktime

Weaknesses (CWE)

CWE-79

References

https://r.sec-consult.com/worktime(551230f0-3615-47bd-b7cc-93e92e730bbf)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.