Aggregates CVE and security vulnerability intelligence across all q-free-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection, vendor risk path handling, and vendor risk input validation and related problems; some flaws may lead to vendor impact unexpected behavior and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-26378 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests. | [email protected] | 8.8 | 0.22% | 2025-02-12 | 2025-04-10 |
| CVE-2025-26377 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests. | [email protected] | 8.1 | 0.22% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26376 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests. | [email protected] | 6.5 | 0.25% | 2025-02-12 | 2025-04-10 |
| CVE-2025-26375 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests. | [email protected] | 8.8 | 0.22% | 2025-02-12 | 2025-04-10 |
| CVE-2025-26374 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | [email protected] | 6.5 | 0.18% | 2025-02-12 | 2025-03-03 |
| CVE-2025-26373 | A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | [email protected] | 6.5 | 0.26% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26372 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests. | [email protected] | 7.1 | 0.20% | 2025-02-12 | 2025-03-03 |
| CVE-2025-26371 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests. | [email protected] | 8.8 | 0.22% | 2025-02-12 | 2025-04-10 |
| CVE-2025-26370 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests. | [email protected] | 7.1 | 0.16% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26369 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests. | [email protected] | 8.8 | 0.22% | 2025-02-12 | 2025-05-27 |
| CVE-2025-26368 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests. | [email protected] | 8.1 | 0.22% | 2025-02-12 | 2025-04-10 |
| CVE-2025-26367 | A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests. | [email protected] | 4.3 | 0.25% | 2025-02-12 | 2025-04-10 |
| CVE-2025-26366 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. | [email protected] | 7.5 | 0.57% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26365 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. | [email protected] | 7.5 | 0.57% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26364 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests. | [email protected] | 7.5 | 0.57% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26363 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests. | [email protected] | 7.5 | 0.57% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26362 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests. | [email protected] | 7.5 | 0.57% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26361 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests. | [email protected] | 9.1 | 1.25% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26360 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests. | [email protected] | 5.3 | 0.63% | 2025-02-12 | 2025-10-28 |
| CVE-2025-26359 | A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests. | [email protected] | 9.8 | 1.29% | 2025-02-12 | 2025-10-28 |