CVE-2025-69288

Published: Dec 31, 2025Modified: Jan 13, 2026

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: NVD

Description

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

Affected (1)

Products: Kromit: Titra

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kromit Titra	Before 0.99.49

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e

Source: security-advisories@github.com

Patch

https://github.com/kromitgmbh/titra/releases/tag/0.99.49

Source: security-advisories@github.com

Release Notes

https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr

Source: security-advisories@github.com

ExploitVendor AdvisoryMitigation

https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor AdvisoryMitigation

Timeline

No history available yet.