CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-26363 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests.
CVSS: HIGH (7.5) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26362 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests.
CVSS: HIGH (7.5) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26356 |
Description: A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
CVSS: HIGH (7.2) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26354 |
Description: A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
CVSS: HIGH (7.2) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26349 |
Description: A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.
CVSS: HIGH (7.2) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26343 |
Description: A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.
CVSS: HIGH (8.1) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26340 |
Description: A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests.
CVSS: HIGH (8.8) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-25283 |
Description: parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively, and an out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. Version 2.1.3 contains a patch.
CVSS: HIGH (7.5) EPSS Score: 0.05%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-25205 |
Description: Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows unauthenticated requests to match certain unanchored regex patterns in the URL. Attackers can craft URLs containing substrings like "/api/items/1/cover" in a query parameter (?r=/api/items/1/cover) to partially bypass authentication or trigger server crashes under certain routes. This could lead to information disclosure of otherwise protected data and, in some cases, a complete denial of service (server crash) if downstream code expects an authenticated user object. Version 2.19.1 contains a patch for the issue.
CVSS: HIGH (8.2) EPSS Score: 0.05%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-25199 |
Description: go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the `github.com/microsoft/go-crypto-winnative` Go package.
CVSS: HIGH (7.5) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|