CVE-2025-26353
CVE-2025-26353
In short
An authenticated user can trick the MaxTime application into reading files outside the intended directory by manipulating file paths in HTTP requests. This allows them to access sensitive information they shouldn't be able to see.
Technical detail
CWE-35 path traversal vulnerability in maxtime/api/sql/sql.lua (Q-Free MaxTime ≤2.11.0) permits authenticated attackers to read arbitrary files via specially crafted HTTP requests. The attack requires prior authentication and allows disclosure of sensitive data through directory traversal sequences.
Summary generated and translated by AI from the official description.
A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →