CVE-2025-70368 – Worklenz version 2.1.5 contains a stored XSS vu... (How to Fix)

Q: What is the severity of CVE-2025-70368?

CVE-2025-70368 has a CVSS score of 5.4 (MEDIUM). Worklenz version 2.1.5 contains a stored XSS vulnerability in the Project Updates feature. An attacker can inject malicious JavaScript into the Updates text field, which executes in victims' browsers when they view the reporting page. This affects all users of Worklenz 2.1.5 who have access to project updates.

📋 TL;DR

Worklenz version 2.1.5 contains a stored XSS vulnerability in the Project Updates feature. An attacker can inject malicious JavaScript into the Updates text field, which executes in victims' browsers when they view the reporting page. This affects all users of Worklenz 2.1.5 who have access to project updates.

💻 Affected Systems

Products:

Worklenz

Versions: 2.1.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with Project Updates feature enabled and accessible to users.

📦 What is this software?

Worklenz by Worklenz

View all CVEs affecting Worklenz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals session cookies, performs account takeover, and accesses sensitive project data or executes administrative actions as authenticated users.

🟠

Likely Case

Attacker steals session tokens to hijack user accounts, potentially accessing confidential project information or modifying data.

🟢

If Mitigated

Limited to stealing session cookies from users who view malicious updates, with proper CSP headers reducing impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to submit project updates. Public proof-of-concept demonstrates payload injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/Worklenz/worklenz

Restart Required: No

Instructions:

Monitor Worklenz repository for security updates. Apply patch when available by updating to fixed version.

🔧 Temporary Workarounds

Input Sanitization

all

Implement server-side input validation and output encoding for Project Updates field.

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Disable Project Updates feature if not required
Restrict user permissions to submit project updates to trusted administrators only

🔍 How to Verify

Check if Vulnerable:

Test by submitting <script>alert('XSS')</script> in Project Updates field and checking if it executes in reporting view.

Check Version:

Check Worklenz version in application settings or package.json file.

Verify Fix Applied:

Verify that submitted script payloads are properly sanitized and do not execute in browser.

📡 Detection & Monitoring

Log Indicators:

Unusual length or pattern in project update submissions
JavaScript patterns in update content

Network Indicators:

Unexpected external script loads from project update pages

SIEM Query:

source="worklenz" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-70368

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8th percentile)

Published: January 26, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/Stolichnayer/CVE-2025-70368 Exploit,Third Party Advisory
https://github.com/Worklenz/worklenz Product
https://github.com/Stolichnayer/CVE-2025-70368 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70368, you might also want to check these: