q-free 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk sql injection、パス処理の欠陥, and vendor risk input validation に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact unexpected behavior and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-26378 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests. | [email protected] | 8.8 | 0.53% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26377 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests. | [email protected] | 8.1 | 0.49% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26376 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests. | [email protected] | 6.5 | 0.25% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26375 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests. | [email protected] | 8.8 | 0.53% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26374 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | [email protected] | 6.5 | 0.30% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26373 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | [email protected] | 6.5 | 0.36% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26372 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests. | [email protected] | 7.1 | 0.38% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26371 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests. | [email protected] | 8.8 | 0.53% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26370 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests. | [email protected] | 7.1 | 0.35% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26369 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests. | [email protected] | 8.8 | 0.53% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26368 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests. | [email protected] | 8.1 | 0.49% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26367 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests. | [email protected] | 4.3 | 0.25% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26366 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. | [email protected] | 7.5 | 0.52% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26365 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. | [email protected] | 7.5 | 0.52% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26364 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests. | [email protected] | 7.5 | 0.52% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26363 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests. | [email protected] | 7.5 | 0.52% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26362 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests. | [email protected] | 7.5 | 0.52% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26361 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests. | [email protected] | 9.1 | 0.79% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26360 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests. | [email protected] | 5.3 | 0.45% | 2025-02-12 | 2026-06-17 |
| CVE-2025-26359 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests. | [email protected] | 9.8 | 0.85% | 2025-02-12 | 2026-06-17 |