7.2

CVSS3.1

CVE-2025-26349 -

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:01 p.m.

5.5

CVSS3.1

CVE-2025-26348 -

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requ…

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:02 p.m.

9.8

CVSS3.1

CVE-2025-26347 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:03 p.m.

5.5

CVSS3.1

CVE-2025-26346 -

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP…

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:03 p.m.

9.8

CVSS3.1

CVE-2025-26345 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:04 p.m.

9.8

CVSS3.1

CVE-2025-26344 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:04 p.m.

8.1

CVSS3.1

CVE-2025-26343 -

A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:04 p.m.

9.8

CVSS3.1

CVE-2025-26342 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:04 p.m.

9.8

CVSS3.1

CVE-2025-26341 -

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.

πŸ“… Published: Feb. 12, 2025, 1:27 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 3:05 p.m.

8.8

CVSS3.1

CVE-2025-26340 -

A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests.

πŸ“… Published: Feb. 12, 2025, 1:26 p.m. πŸ”„ Last Modified: Oct. 24, 2025, 2:58 p.m.
Total resulsts: 346099
Page 6456 of 34,610
Β« previous page Β» next page
Filters