Cyber Resilience

CVE-2026-21695

MediumPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0017 37.9th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21695 is a medium-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Kromit Titra. Its CVSS base score is 4.3 (Medium).

Operationally, ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The…

more

affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kromit
titra
≤ 0.99.50

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References