CVE-2025-26352

A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests...

CVE-2025-26351

CVE-2025-26351 describes a CWE-35 path traversal in the template download mechanism of Q-Free MaxTime (versions ≤ 2.11.0). An authenticated remote attacker can read sensitive files via crafted HTTP requests. Root cause: improper validation in the template download flow enabling path traversal. Im...

CVE-2025-26351

A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests...

CVE-2025-26351

A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests...

CVE-2025-26350

A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests...

CVE-2025-26350

CVE-2025-26350 corresponds to a CWE-434 vulnerability in Q-Free MaxTime up to version 2.11.0, where the template file uploads allow an authenticated remote attacker to upload malicious files via crafted HTTP requests. The root cause is an unrestricted upload of files with dangerous types in the t...

CVE-2025-26350

A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests...

CVE-2025-26349

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests...

CVE-2025-26349

CVE-2025-26349 affects Q-Free MaxTime 2.11.0 and earlier. A CWE-23 Relative Path Traversal flaw in the file upload mechanism allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests. Documents indicate the vulnerability directly impacts the MaxTime software w...

CVE-2025-26349

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests...

CVE-2025-26348

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection'" in maxprofile/menu/model.lua editUserMenu endpoint in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP reques...

CVE-2025-26348

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection'" in maxprofile/menu/model.lua editUserMenu endpoint in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP reques...

CVE-2025-26348

CVE-2025-26348 affects Q-Free MaxTime (MaxTime suite). The vulnerability is an SQL Injection (CWE-89) in maxprofile/menu/model.lua at the editUserMenu endpoint, exploitable via crafted HTTP requests to execute arbitrary SQL. Affected: MaxTime versions

CVE-2025-26347

CVE-2025-26347 affects Q-Free MaxTime (MaxTime Suite) ≤ 2.11.0. The vulnerability is in maxprofile/menu/routes.lua and is due to a missing authentication for a critical function (CWE-306). An unauthenticated remote attacker can edit user permissions via crafted HTTP requests, with CVSS 3.1 base s...

CVE-2025-26347

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests...

CVE-2025-26347

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests...

CVE-2025-26346

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection'" in maxprofile/menu/model.lua editUserGroupMenu endpoint in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP...

CVE-2025-26346

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection'" in maxprofile/menu/model.lua editUserGroupMenu endpoint in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP...

CVE-2025-26346

The CVE-2025-26346 entry concerns Q-Free MaxTime

CVE-2025-26345

CVE-2025-26345 affects Q-Free MaxTime ≤ 2.11.0. A CWE-306 vulnerability in maxprofile/menu/routes.lua allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests. The issue is described as critical (CVSS 3.1: 9.8, Network, No Privileges) with no explicit rem...