CVE-2025-26342
CVE-2025-26342
In short
A critical security flaw in Q-Free MaxTime allows anyone on the internet to create new user accounts, including admin accounts, without needing to log in first. This lets attackers take complete control of the system.
Technical detail
CWE-306 vulnerability in maxprofile/accounts/routes.lua permits unauthenticated HTTP requests to execute user creation functions, enabling arbitrary account provisioning including administrative privileges. Affects Q-Free MaxTime ≤2.11.0; exploitation requires network access to the vulnerable endpoint with no authentication barriers.
Summary generated and translated by AI from the official description.
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →