CVE-2025-26341

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier

Description: The issue is related to missing authentication for a critical function, allowing an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests. This is due to a problem in the maxprofile/accounts/routes.lua file.

Recommendations: For Q-Free MaxTime versions 2.11.0 and earlier, update to a version later than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the maxprofile/accounts/routes.lua file until a patch is available.