Multiple vulnerabilities in WorkDo products

Posted date 12/01/2026

Identificador

INCIBE-2026-014

Importance

3 - Medium

Affected Resources

TicketGo
eCommerceGo SaaS
HRMGo

Description

INCIBE has coordinated the publication of four vulnerabilities, all of medium severity, affecting TicketGo, eCommerceGo SaaS, and HRMGo from WorkDo. The vulnerabilities were discovered by Gonzalo Aguilar García (6h4ack).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

FromCVE-2025-40975 to CVE-2025-40978: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79

Solution

No solution has been reported at this time.

Detail

CVE-2025-40975: Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/hrmgo/ticket/changereply’, using the ‘description’ parameter.
CVE-2025-40976: Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/ticketgo-saas/home’, using the ‘description’ parameter.
CVE-2025-40977: Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to ‘/store-ticket’, using the ‘subject’ and ‘description’ parameters.
CVE-2025-40978: Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘reply_description’ parameter.