CVE-2025-69288

critical

Description

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

References

https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr

https://github.com/kromitgmbh/titra/releases/tag/0.99.49

https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e

Details

Source: Mitre, NVD

Published: 2025-12-31

Updated: 2025-12-31

Risk Information

CVSS v2

Base Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00198