CVE-2026-42279

MEDIUM EPSS 18.2%
Published May 8, 20261mo ago · Modified Jun 17, 20262w ago
5.8 CVSS 3.1
Medium
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.

CVSS Details

Base Score
5.8
Exploitability
1.3
Impact
4.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope Changed
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
18.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-639

Affected Products 1

VendorProductVersionRange
solidtimesolidtime0.12.0any

References 3

  • github.com https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c
    Patch
  • github.com https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1
    ProductRelease Notes
  • github.com https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c
    Patch