CVE-2025-69288 CRITICAL

CVE-2025-69288: Titra has Remote Code Execution in Admin Functionality

Vendor Kromitgmbh

Product titra

Weakness CWE-20 · Input validation

Published December 31, 2025

Last update January 2, 2026

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

Key dates

02Disclosure timeline

December 31, 2025 CVE published

January 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-69288 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2025-69288: Titra has Remote Code Execution in Admin Functionality

01Description

02Disclosure timeline

03References

04Related CVE