VYPR

MaxTime

by Q-Free

CVEs (43)

  • CVE-2025-26351MedFeb 12, 2025
    risk 0.32cvss 4.9epss 0.01

    A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.

  • CVE-2025-26350MedFeb 12, 2025
    risk 0.32cvss 4.9epss 0.01

    A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.

  • CVE-2025-26367MedFeb 12, 2025
    risk 0.28cvss 4.3epss 0.00

    A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests.

Page 3 of 3