335 matches found
CVE-2025-26345
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests...
CVE-2025-26345
CVE-2025-26345 affects Q-Free MaxTime ≤ 2.11.0. A CWE-306 vulnerability in maxprofile/menu/routes.lua allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests. The issue is described as critical (CVSS 3.1: 9.8, Network, No Privileges) with no explicit rem...
CVE-2025-26344
CVE-2025-26344 describes a CWE-306 vulnerability in Q-Free MaxTime
CVE-2025-26343
A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests...
CVE-2025-26343
CVE-2025-26343 affects Q-Free MaxTime Suite (
CVE-2025-26342
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests...
CVE-2025-26342
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests...
CVE-2025-26341
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests...
CVE-2025-26341
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests...
CVE-2025-26341
CVE-2025-26341 affects Q-Free MaxTime
CVE-2025-26340
A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests...
CVE-2025-26340
CVE-2025-26340 describes a CWE-321 vulnerability in Q-Free MaxTime (
CVE-2025-26340
A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests...
CVE-2025-26339
A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP...
CVE-2025-26339
CVE-2025-26339 affects Q-Free MaxTime: a missing authentication issue in maxtime/handleRoute.lua for MaxTime versions prior to or equal to 2.11.0. An unauthenticated remote attacker can impact device confidentiality, integrity, and availability via crafted HTTP requests. Remediation per PT-2025-7...
CVE-2025-1102
CVE-2025-1102 concerns a CWE-346 Origin Validation Error in the CORS configuration of Q-Free MaxTime (<= 2.11.0). The issue allows an unauthenticated remote attacker to affect device confidentiality, integrity, or availability via crafted URLs or HTTP requests. Connected sources confirm affect...
CVE-2025-1102
A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests...
CVE-2025-1101
CVE-2025-1101 affects Q-Free MaxTime <= 2.11.0. A CWE-204 vulnerability in the login page allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests. The issue is triggered by an observable response discrepancy in the authentication flow, enabling user enu...
CVE-2025-1101
A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests...
CVE-2025-1100
CVE-2025-1100 affects Q-Free MaxTime versions