CVE-2025-26348

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions prior to 2.11.0

Description: The issue is related to an improper neutralization of special elements used in an SQL command, also known as SQL Injection. This occurs in the maxprofile/menu/model.lua file, specifically at the editUserMenu endpoint. An authenticated remote attacker can exploit this to execute arbitrary SQL commands via crafted HTTP requests.

Recommendations: For versions prior to 2.11.0, update to version 2.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the editUserMenu endpoint in maxprofile/menu/model.lua to minimize the risk of exploitation.