CVE-2025-26352
CVE-2025-26352
In short
An authenticated user can delete sensitive files from the Q-Free MaxTime system by crafting special requests that traverse directory paths. This allows attackers with login access to remove critical system files.
Technical detail
A path traversal vulnerability (CWE-35) in the template deletion mechanism of Q-Free MaxTime ≤2.11.0 permits authenticated remote attackers to delete arbitrary files by manipulating file path parameters in HTTP requests. The vulnerability requires valid credentials and can impact system integrity and availability.
Summary generated and translated by AI from the official description.
A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →