CVE-2025-26356

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier

Description: A path traversal issue in the setActive endpoint of maxtime/api/database/database.lua allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests. The issue is related to the setActive endpoint, which is vulnerable to path traversal attacks, enabling an attacker to manipulate HTTP requests and overwrite confidential files.

Recommendations: For Q-Free MaxTime versions 2.11.0 and earlier, as a temporary workaround, consider restricting access to the setActive endpoint in maxtime/api/database/database.lua to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.