CVE-2025-26339
CVE-2025-26339
In short
Q-Free MaxTime versions 2.11.0 and earlier allow anyone on the internet to perform critical operations on the system without logging in, potentially stealing data, changing settings, or crashing the service.
Technical detail
Missing authentication in maxtime/handleRoute.lua permits unauthenticated remote HTTP requests to access critical functions in Q-Free MaxTime ≤2.11.0, enabling attackers to compromise confidentiality, integrity, and availability through crafted payloads without requiring valid credentials.
Summary generated and translated by AI from the official description.
A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →