VYPR

MaxTime

by Q-Free

CVEs (43)

  • CVE-2025-26363HigFeb 12, 2025
    risk 0.49cvss 7.5epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests.

  • CVE-2025-26362HigFeb 12, 2025
    risk 0.49cvss 7.5epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests.

  • CVE-2025-26356HigFeb 12, 2025
    risk 0.47cvss 7.2epss 0.01

    A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.

  • CVE-2025-26354HigFeb 12, 2025
    risk 0.47cvss 7.2epss 0.01

    A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.

  • CVE-2025-26349HigFeb 12, 2025
    risk 0.47cvss 7.2epss 0.03

    A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.

  • CVE-2025-26372HigFeb 12, 2025
    risk 0.46cvss 7.1epss 0.00

    A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests.

  • CVE-2025-26370HigFeb 12, 2025
    risk 0.46cvss 7.1epss 0.00

    A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests.

  • CVE-2025-26376MedFeb 12, 2025
    risk 0.42cvss 6.5epss 0.00

    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests.

  • CVE-2025-26374MedFeb 12, 2025
    risk 0.42cvss 6.5epss 0.00

    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.

  • CVE-2025-26373MedFeb 12, 2025
    risk 0.42cvss 6.5epss 0.00

    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.

  • CVE-2025-26355MedFeb 12, 2025
    risk 0.42cvss 6.5epss 0.01

    A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.

  • CVE-2025-26352MedFeb 12, 2025
    risk 0.42cvss 6.5epss 0.01

    A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.

  • CVE-2025-26358MedFeb 12, 2025
    risk 0.36cvss 5.5epss 0.01

    A CWE-15 "External Control of System or Configuration Setting" in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests.

  • CVE-2025-26348MedFeb 12, 2025
    risk 0.36cvss 5.5epss 0.01

    A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands…

  • CVE-2025-26346MedFeb 12, 2025
    risk 0.36cvss 5.5epss 0.01

    A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL…

  • CVE-2025-1102MedFeb 12, 2025
    risk 0.36cvss 5.5epss 0.00

    A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests.

  • CVE-2025-1101MedFeb 12, 2025
    risk 0.35cvss 5.3epss 0.01

    A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests.

  • CVE-2025-26360MedFeb 12, 2025
    risk 0.34cvss 5.3epss 0.00

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests.

  • CVE-2025-26357MedFeb 12, 2025
    risk 0.32cvss 4.9epss 0.01

    A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.

  • CVE-2025-26353MedFeb 12, 2025
    risk 0.32cvss 4.9epss 0.01

    A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.