CVE-2025-26371

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Feb 12, 2025

Updated: Mar 3, 2025

CWE ID 862

Summary

CVE-2025-26371 is a vulnerability affecting Q-Free MaxTime versions 2.11.0 and below. This issue, classified as CWE-862 "Missing Authorization," enables authenticated, low-privileged attackers to manipulate user group assignments via crafted HTTP requests. The missing authorization check in maxprofile/user-groups/routes.lua allows unauthorized addition of users to groups, potentially leading to privilege escalation and security breaches.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3Ig6hb
https://www.cve.org/CVERecord?id=CVE-2025-26371
https://nvd.nist.gov/vuln/detail/CVE-2025-26371

Back to Vulnerability Database