CVE-2025-26349
CVE-2025-26349
In short
A file upload feature in Q-Free MaxTime allows authenticated users to upload files to unintended locations by using path tricks (like ../ sequences), potentially overwriting important system files.
Technical detail
CWE-23 Relative Path Traversal vulnerability in Q-Free MaxTime ≤2.11.0 file upload mechanism permits authenticated attackers to manipulate file paths via crafted HTTP requests, enabling arbitrary file overwrite. Attack requires valid credentials but allows bypass of intended directory restrictions.
Summary generated and translated by AI from the official description.
A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →