Q-Free Maxtime vulnerabilities
43 known vulnerabilities affecting q-free/maxtime.
Total CVEs
43
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL9HIGH22MEDIUM12
Vulnerabilities
Page 1 of 3
CVE-2025-26341P2CRITICALCVSS 9.8≤ 2.11.02025-02-12
CVE-2025-26341 [CRITICAL] CWE-306 CVE-2025-26341: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.
nvd
CVE-2025-26339P2CRITICALCVSS 9.8≤ 2.11.02025-02-12
CVE-2025-26339 [CRITICAL] CWE-306 CVE-2025-26339: A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTim
A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.
nvd
CVE-2025-26342P2CRITICALCVSS 9.8≤ 2.11.02025-02-12
CVE-2025-26342 [CRITICAL] CWE-306 CVE-2025-26342: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.
nvd
CVE-2025-26359P2CRITICALCVSS 9.8≤ 2.11.02025-02-12
CVE-2025-26359 [CRITICAL] CWE-306 CVE-2025-26359: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.
nvd
CVE-2025-26347P2CRITICALCVSS 9.8≤ 2.11.02025-02-12
CVE-2025-26347 [CRITICAL] CWE-306 CVE-2025-26347: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free Max
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.
nvd
CVE-2025-26345P2CRITICALCVSS 9.8≤ 2.11.02025-02-12
CVE-2025-26345 [CRITICAL] CWE-306 CVE-2025-26345: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free Max
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.
nvd
CVE-2025-1100P2CRITICALCVSS 9.8≤ 2.11.02025-02-12
CVE-2025-1100 [CRITICAL] CWE-259 CVE-2025-1100: A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to
A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.
nvd
CVE-2025-26344P2CRITICALCVSS 9.8≤ 2.11.02025-02-12
CVE-2025-26344 [CRITICAL] CWE-306 CVE-2025-26344: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Fr
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.
nvd
CVE-2025-26361P2CRITICALCVSS 9.1≤ 2.11.02025-02-12
CVE-2025-26361 [CRITICAL] CWE-306 CVE-2025-26361: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free Ma
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.
nvd
CVE-2025-26350P3HIGHCVSS 8.8≤ 2.11.02025-02-12
CVE-2025-26350 [HIGH] CWE-434 CVE-2025-26350: A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free M
A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.
nvd
CVE-2025-26340P3HIGHCVSS 8.8≤ 2.11.02025-02-12
CVE-2025-26340 [HIGH] CWE-321 CVE-2025-26340: A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or eq
A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests.
nvd
CVE-2025-26375P3HIGHCVSS 8.8≤ 2.11.02025-02-12
CVE-2025-26375 [HIGH] CWE-862 CVE-2025-26375: A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equa
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests.
nvd
CVE-2025-26371P3HIGHCVSS 8.8≤ 2.11.02025-02-12
CVE-2025-26371 [HIGH] CWE-862 CVE-2025-26371: A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than o
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.
nvd
CVE-2025-26369P3HIGHCVSS 8.8≤ 2.11.02025-02-12
CVE-2025-26369 [HIGH] CWE-862 CVE-2025-26369: A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than o
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.
nvd
CVE-2025-26378P3HIGHCVSS 8.8≤ 2.11.02025-02-12
CVE-2025-26378 [HIGH] CWE-862 CVE-2025-26378: A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equa
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.
nvd
CVE-2025-26343P3HIGHCVSS 8.1≤ 2.11.02025-02-12
CVE-2025-26343 [HIGH] CWE-1390 CVE-2025-26343: A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or
A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.
nvd
CVE-2025-26362P3HIGHCVSS 7.5≤ 2.11.02025-02-12
CVE-2025-26362 [HIGH] CWE-306 CVE-2025-26362: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free Ma
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests.
nvd
CVE-2025-26349P3HIGHCVSS 7.2≤ 2.11.02025-02-12
CVE-2025-26349 [HIGH] CWE-23 CVE-2025-26349: A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal
A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.
nvd
CVE-2025-26346P3HIGHCVSS 7.6≤ 2.11.02025-02-12
CVE-2025-26346 [HIGH] CWE-89 CVE-2025-26346: A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in m
A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests.
nvd
CVE-2025-26348P3HIGHCVSS 7.6≤ 2.11.02025-02-12
CVE-2025-26348 [HIGH] CWE-89 CVE-2025-26348: A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in m
A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests.
nvd
1 / 3Next →