CVE-2025-15562

CVE-2025-15562: Reflected Cross-Site Scripting in NesterSoft WorkTime

Vendor Nestersoft Inc.
Product WorkTime (on-prem/cloud)
Weakness CWE-79 · XSS
Published February 19, 2026
Last update February 20, 2026

CVSS base score

What the vulnerability does

01Description

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
February 20, 2026 Record updated