7.5

CVSS3.1

CVE-2025-26362 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests.

📅 Published: Feb. 12, 2025, 1:29 p.m. 🔄 Last Modified: Oct. 28, 2025, 3:42 p.m.

9.1

CVSS3.1

CVE-2025-26361 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.

📅 Published: Feb. 12, 2025, 1:29 p.m. 🔄 Last Modified: Oct. 28, 2025, 3:44 p.m.

5.3

CVSS3.1

CVE-2025-26360 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests.

📅 Published: Feb. 12, 2025, 1:29 p.m. 🔄 Last Modified: Oct. 28, 2025, 3:45 p.m.

9.8

CVSS3.1

CVE-2025-26359 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.

📅 Published: Feb. 12, 2025, 1:28 p.m. 🔄 Last Modified: Oct. 28, 2025, 3:45 p.m.

5.5

CVSS3.1

CVE-2025-26358 -

A CWE-15 "External Control of System or Configuration Setting" in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests.

📅 Published: Feb. 12, 2025, 1:28 p.m. 🔄 Last Modified: Oct. 28, 2025, 3:45 p.m.

4.9

CVSS3.1

CVE-2025-26357 -

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.