CVE-2026-21695

MEDIUM

Titra <0.99.49 - Mass Assignment

Title source: llm

Description

Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50.

References (2)

[Exploit, Vendor Advisory] https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq

[Patch] https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0007

EPSS Percentile 21.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-915

Status published

Products (1)

kromit/titra < 0.99.50

Published Jan 08, 2026

Tracked Since Feb 18, 2026