CVE-2025-26354

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions prior to 2.11.0

Description: A path traversal issue in the maxtime/api/database/database.lua file, specifically in the copy endpoint, allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests. This issue affects Q-Free MaxTime versions less than or equal to 2.11.0.

Recommendations: For versions prior to 2.11.0, update to version 2.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the maxtime/api/database/database.lua file and the copy endpoint to minimize the risk of exploitation. Avoid using the copy endpoint in the affected API until the issue is resolved.