CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-26352 |
Description: A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
CVSS: MEDIUM (6.5) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26351 |
Description: A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
CVSS: MEDIUM (4.9) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26350 |
Description: A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.
CVSS: MEDIUM (4.9) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26349 |
Description: A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.
CVSS: HIGH (7.2) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26348 |
Description: A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests.
CVSS: MEDIUM (5.5) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26347 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26346 |
Description: A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests.
CVSS: MEDIUM (5.5) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26345 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26344 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|
|
CVE-2025-26343 |
Description: A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.
CVSS: HIGH (8.1) EPSS Score: 0.04%
February 13th, 2025 (5 months ago)
|