Vulnerabilities in Q-Free
43 resultsCVE-2025-26349HIGHA CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticatEPSS 2.7%CVE-2025-26340HIGHA CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenEPSS 1.1%CVE-2025-26347CRITICALA CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.EPSS 1.0%CVE-2025-26339CRITICALA CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 aEPSS 1.0%CVE-2025-26342CRITICALA CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2EPSS 1.0%CVE-2025-26341CRITICALA CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2EPSS 1.0%CVE-2025-26345CRITICALA CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.EPSS 1.0%CVE-2025-26344CRITICALA CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to versionEPSS 1.0%CVE-2025-26352MEDIUMA CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated EPSS 1.0%CVE-2025-26355MEDIUMA CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticateEPSS 0.9%CVE-2025-26359CRITICALA CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2EPSS 0.9%CVE-2025-26343HIGHA CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthEPSS 0.8%CVE-2025-26350MEDIUMA CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.1EPSS 0.8%CVE-2025-26353MEDIUMA CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote aEPSS 0.8%CVE-2025-26351MEDIUMA CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated EPSS 0.8%CVE-2025-26361CRITICALA CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11EPSS 0.8%CVE-2025-26356HIGHA CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 aEPSS 0.8%CVE-2025-26354HIGHA CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allowsEPSS 0.8%CVE-2025-1100CRITICALA CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticatedEPSS 0.7%CVE-2025-26357MEDIUMA CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticateEPSS 0.7%