CVE-2025-26378

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Feb 12, 2025

Updated: Mar 3, 2025

CWE ID 862

Summary

CVE-2025-26378 is a missing authorization vulnerability affecting Q-Free MaxTime versions 2.11.0 and below. An authenticated, low-privileged attacker can exploit this issue in maxprofile/users/routes.lua to reset passwords, even those of administrator accounts, through carefully crafted HTTP requests. This flaw exposes sensitive information and compromises system security.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3IhESY
https://www.cve.org/CVERecord?id=CVE-2025-26378
https://nvd.nist.gov/vuln/detail/CVE-2025-26378

Back to Vulnerability Database