CVE-2025-26355
CVE-2025-26355
In short
An authenticated attacker can delete important files on a Q-Free MaxTime server by using specially crafted requests that bypass directory restrictions. This is dangerous because it can lead to data loss or system disruption.
Technical detail
A path traversal vulnerability (CWE-35) in maxtime/api/database/database.lua allows authenticated remote attackers to access and delete files outside the intended directory through manipulated HTTP requests. The vulnerability requires valid authentication credentials and affects Q-Free MaxTime versions up to 2.11.0, with potential impact on system availability and data integrity.
Summary generated and translated by AI from the official description.
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →