CVE-2025-26347
CVE-2025-26347
In short
Q-Free MaxTime versions up to 2.11.0 allow anyone on the internet to change user permissions without logging in. This is critical because an attacker can gain unauthorized access or escalate their privileges.
Technical detail
CWE-306 vulnerability in maxprofile/menu/routes.lua permits unauthenticated HTTP requests to modify user permissions. The affected function lacks authentication checks, enabling remote attackers to escalate privileges or alter access controls without valid credentials.
Summary generated and translated by AI from the official description.
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →