Q-Free Maxtime vulnerabilities
43 known vulnerabilities affecting q-free/maxtime.
Total CVEs
43
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL9HIGH22MEDIUM12
Vulnerabilities
Page 2 of 3
CVE-2025-26364P3HIGHCVSS 7.5≤ 2.11.02025-02-12
CVE-2025-26364 [HIGH] CWE-306 CVE-2025-26364: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free Ma
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests.
nvd
CVE-2025-26363P3HIGHCVSS 7.5≤ 2.11.02025-02-12
CVE-2025-26363 [HIGH] CWE-306 CVE-2025-26363: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free Ma
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests.
nvd
CVE-2025-26365P3HIGHCVSS 7.5≤ 2.11.02025-02-12
CVE-2025-26365 [HIGH] CWE-306 CVE-2025-26365: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free Ma
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests.
nvd
CVE-2025-26366P3HIGHCVSS 7.5≤ 2.11.02025-02-12
CVE-2025-26366 [HIGH] CWE-306 CVE-2025-26366: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free Ma
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.
nvd
CVE-2025-26368P3HIGHCVSS 8.1≤ 2.11.02025-02-12
CVE-2025-26368 [HIGH] CWE-862 CVE-2025-26368: A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than o
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests.
nvd
CVE-2025-26377P3HIGHCVSS 8.1≤ 2.11.02025-02-12
CVE-2025-26377 [HIGH] CWE-862 CVE-2025-26377: A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equa
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests.
nvd
CVE-2025-26372P3HIGHCVSS 8.1≤ 2.11.02025-02-12
CVE-2025-26372 [HIGH] CWE-862 CVE-2025-26372: A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than o
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests.
nvd
CVE-2025-26356P3HIGHCVSS 7.2≤ 2.11.02025-02-12
CVE-2025-26356 [HIGH] CWE-35 CVE-2025-26356: A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTim
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
nvd
CVE-2025-26354P3HIGHCVSS 7.2≤ 2.11.02025-02-12
CVE-2025-26354 [HIGH] CWE-35 CVE-2025-26354: A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime les
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
nvd
CVE-2025-26370P3HIGHCVSS 7.1≤ 2.11.02025-02-12
CVE-2025-26370 [HIGH] CWE-862 CVE-2025-26370: A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than o
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests.
nvd
CVE-2025-26376P3MEDIUMCVSS 6.5≤ 2.11.02025-02-12
CVE-2025-26376 [MEDIUM] CWE-862 CVE-2025-26376: A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equa
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests.
nvd
CVE-2025-26373P3MEDIUMCVSS 6.5≤ 2.11.02025-02-12
CVE-2025-26373 [MEDIUM] CWE-862 CVE-2025-26373: A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime l
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.
nvd
CVE-2025-26355P3MEDIUMCVSS 6.5≤ 2.11.02025-02-12
CVE-2025-26355 [MEDIUM] CWE-35 CVE-2025-26355: A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
nvd
CVE-2025-26352P3MEDIUMCVSS 6.5≤ 2.11.02025-02-12
CVE-2025-26352 [MEDIUM] CWE-35 CVE-2025-26352: A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to
A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
nvd
CVE-2025-26360P3MEDIUMCVSS 5.3≤ 2.11.02025-02-12
CVE-2025-26360 [MEDIUM] CWE-306 CVE-2025-26360: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-F
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests.
nvd
CVE-2025-1102P4HIGHCVSS 7.1≤ 2.11.02025-02-12
CVE-2025-1102 [HIGH] CWE-346 CVE-2025-1102: A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal t
A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests.
nvd
CVE-2025-26358P4MEDIUMCVSS 5.5≤ 2.11.02025-02-12
CVE-2025-26358 [MEDIUM] CWE-20 CVE-2025-26358: A CWE-15 "External Control of System or Configuration Setting" in ldbMT.so in Q-Free MaxTime less th
A CWE-15 "External Control of System or Configuration Setting" in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests.
nvd
CVE-2025-1101P4MEDIUMCVSS 5.3≤ 2.11.02025-02-12
CVE-2025-1101 [MEDIUM] CWE-204 CVE-2025-1101: A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal t
A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests.
nvd
CVE-2025-26353P4MEDIUMCVSS 4.9≤ 2.11.02025-02-12
CVE-2025-26353 [MEDIUM] CWE-35 CVE-2025-26353: A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version
A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
nvd
CVE-2025-26357P4MEDIUMCVSS 4.9≤ 2.11.02025-02-12
CVE-2025-26357 [MEDIUM] CWE-35 CVE-2025-26357: A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
nvd