CVE-2025-67102 identifies a SQL injection vulnerability in the alldayoffs feature of the Jorani open-source leave management system, affecting versions up to 1.0.4. The vulnerability arises because the entity parameter in this feature is not properly sanitized, allowing an authenticated attacker to inject arbitrary SQL commands. This flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data retrieval, modification, or deletion. Since the attacker must be authenticated, the attack surface is limited to users with valid credentials, but no further user interaction is required. The vulnerability does not have a published CVSS score or known exploits in the wild yet. However, SQL injection remains a critical class of vulnerabilities due to its potential to compromise data confidentiality, integrity, and availability. Jorani is used primarily for managing employee leave and HR-related workflows, meaning sensitive personnel data could be exposed or altered. The lack of a patch link indicates that a fix may not yet be publicly available, increasing the urgency for organizations to implement interim mitigations. The vulnerability was reserved in December 2025 and published in February 2026, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of HR and employee data managed within Jorani. Successful exploitation could allow attackers to extract sensitive personal information, alter leave records, or disrupt HR operations, potentially leading to compliance violations under GDPR and other privacy regulations. The availability of the leave management system could also be impacted if attackers execute destructive SQL commands. Organizations relying on Jorani for critical HR functions may face operational disruptions and reputational damage. Since exploitation requires authentication, insider threats or compromised credentials are primary risk vectors. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. The impact is heightened in sectors with stringent data protection requirements, such as finance, healthcare, and government institutions across Europe.

Organizations should immediately review and restrict access to the alldayoffs feature within Jorani, limiting it to trusted users only. Implement strong authentication and monitor for unusual access patterns to detect potential abuse. Until an official patch is released, apply input validation and sanitization controls at the application or database layer to block malicious SQL payloads targeting the entity parameter. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts specific to this vulnerability. Conduct thorough code reviews and penetration testing focused on the alldayoffs feature to identify and remediate injection points. Regularly update Jorani to the latest version once patches become available. Additionally, enforce the principle of least privilege on database accounts used by Jorani to minimize the impact of any successful injection. Maintain comprehensive logging and alerting to facilitate rapid incident response.