CVE-2026-21695
Last modified
CVE-2026-21695 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. EPSS estimates a 0.24% chance of exploitation in the next 30 days.
Description
Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Kromit | Titra | < 0.99.50 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-21695?
How severe is CVE-2026-21695?
How do I fix CVE-2026-21695?
Are you affected by CVE-2026-21695?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST