titraio/titra

GitHub

github.com

titraio.github.io

Releases270

Frequency1 week 5 days

Last Release 9 days ago

Stars494

titra - modern open source project time tracking for freelancers and small teams

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-42092 ↗	May 4, 2026Monday, 4 May 2026, 18:16	6.5 MEDIUM	—
titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available.
CVE-2026-21694 ↗	Jan 8, 2026Thursday, 8 January 2026, 00:15	6.8 MEDIUM	—
Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50.
CVE-2026-21695 ↗	Jan 8, 2026Thursday, 8 January 2026, 00:15	4.3 MEDIUM	—
Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50.
CVE-2025-69288 ↗	Dec 31, 2025Wednesday, 31 December 2025, 22:15	9.1 CRITICAL	—
Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.
CVE-2022-2595 ↗	Aug 1, 2022Monday, 1 August 2022, 15:15	10 CRITICAL	—
Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1.
CVE-2022-2098 ↗	Jun 16, 2022Thursday, 16 June 2022, 10:15	9.8 CRITICAL	5 MEDIUM
Weak Password Requirements in GitHub repository kromitgmbh/titra prior to 0.78.1.
CVE-2022-2026 ↗	Jun 9, 2022Thursday, 9 June 2022, 17:15	5.4 MEDIUM	3.5 LOW
Cross-site Scripting (XSS) - Stored in GitHub repository kromitgmbh/titra prior to 0.77.0.
CVE-2022-2027 ↗	Jun 9, 2022Thursday, 9 June 2022, 17:15	8 HIGH	3.5 LOW
Improper Neutralization of Formula Elements in a CSV File in GitHub repository kromitgmbh/titra prior to 0.77.0.
CVE-2022-2028 ↗	Jun 9, 2022Thursday, 9 June 2022, 17:15	5.4 MEDIUM	3.5 LOW
Cross-site Scripting (XSS) - Generic in GitHub repository kromitgmbh/titra prior to 0.77.0.
CVE-2022-2029 ↗	Jun 9, 2022Thursday, 9 June 2022, 17:15	5.4 MEDIUM	3.5 LOW
Cross-site Scripting (XSS) - DOM in GitHub repository kromitgmbh/titra prior to 0.77.0.