CVE-2025-26348

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Feb 12, 2025

CWE ID 89

Summary

CVE-2025-26348 is a SQL injection vulnerability affecting Q-Free MaxTime versions 2.11.0 and below. An authenticated attacker can exploit the editUserMenu endpoint in maxprofile/menu/model.lua by introducing malicious SQL commands in HTTP requests. This vulnerability, classified as CWE-89, could allow the attacker to execute arbitrary SQL queries and potentially gain unauthorized access to sensitive data. Successful exploitation requires authentication, but it poses a significant risk if not promptly addressed.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3IhZc0
https://www.cve.org/CVERecord?id=CVE-2025-26348
https://nvd.nist.gov/vuln/detail/CVE-2025-26348

Back to Vulnerability Database