Vulnerability Description
Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kromit | Titra | < 0.99.49 |
Related Weaknesses (CWE)
References
- https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e0Patch
- https://github.com/kromitgmbh/titra/releases/tag/0.99.49Release Notes
- https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvrExploitVendor AdvisoryMitigation
- https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvrExploitVendor AdvisoryMitigation
FAQ
What is CVE-2025-69288?
CVE-2025-69288 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a Node...
How severe is CVE-2025-69288?
CVE-2025-69288 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-69288?
Check the references section above for vendor advisories and patch information. Affected products include: Kromit Titra.