CVE-2025-26354

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published Feb 12, 2025

CWE ID 35

Summary

CVE-2025-26354 refers to a path traversal vulnerability in Q-Free MaxTime's api/database/database.lua file, specifically in the copy endpoint. This issue, designated as CWE-35, permits an authenticated attacker to overwrite sensitive files via crafted HTTP requests. Successful exploitation could lead to unauthorized data modification, potential data leaks, or system instability. The affected version is Q-Free MaxTime 2.11.0 and above. It is strongly recommended that users upgrade to a patched version to mitigate this security risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3IhZci
https://www.cve.org/CVERecord?id=CVE-2025-26354
https://nvd.nist.gov/vuln/detail/CVE-2025-26354

Back to Vulnerability Database