CVE-2025-26354

CVSS 7.2 HIGHEPSS 0.8%CWE-35

In short

An authenticated user can bypass file access restrictions in Q-Free MaxTime and overwrite important files by using specially crafted requests to the copy endpoint. This allows attackers with login access to damage or manipulate system files.

Technical detail

Path traversal vulnerability in the copy endpoint of maxtime/api/database/database.lua permits authenticated attackers to escape directory restrictions and overwrite arbitrary files. The vulnerability requires valid authentication credentials and allows file system manipulation through crafted HTTP requests, impacting confidentiality and integrity of protected resources.

Summary generated and translated by AI from the official description.

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

Q-Free · MaxTime

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26354