CVE-2025-26356
CVE-2025-26356
In short
A flaw in Q-Free MaxTime allows logged-in users to overwrite important files on the server by sending specially crafted requests. This happens because the application doesn't properly validate file paths, letting attackers access files outside intended directories.
Technical detail
CWE-35 path traversal vulnerability in the setActive endpoint (maxtime/api/database/database.lua) permits authenticated attackers to traverse directory structures and overwrite sensitive files via improper path validation. Attack requires valid credentials; impact includes compromise of system files and configuration integrity.
Summary generated and translated by AI from the official description.
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →