CVE-2025-26350
CVE-2025-26350
In short
Q-Free MaxTime allows authenticated users to upload malicious files without proper restrictions, potentially leading to code execution or system compromise. This happens because the application doesn't adequately validate file types during template uploads.
Technical detail
CWE-434 unrestricted file upload vulnerability in Q-Free MaxTime ≤2.11.0 template upload functionality allows authenticated attackers to bypass file type validation via crafted HTTP requests, enabling arbitrary file upload and potential remote code execution depending on web server configuration and file handling mechanisms.
Summary generated and translated by AI from the official description.
A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →