CVE-2026-42279

EUVD-2026-28527
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.8 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
solidtimesolidtime
0.12.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c
https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1
https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr
https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr