PT-2025-7145 · Q Free · Q-Free Maxtime

Diego Giubertoni

Published

2025-02-11

Updated

2025-10-28

CVE-2025-26356

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier

Description: A path traversal issue in the setActive endpoint of maxtime/api/database/database.lua allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests. The issue is related to the setActive endpoint, which is vulnerable to path traversal attacks, enabling an attacker to manipulate HTTP requests and overwrite confidential files.

Recommendations: For Q-Free MaxTime versions 2.11.0 and earlier, as a temporary workaround, consider restricting access to the setActive endpoint in maxtime/api/database/database.lua to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-35

Related Identifiers

BDU:2025-11397

CVE-2025-26356

Affected Products

Q-Free Maxtime

PT-2025-7145 · Q Free · Q-Free Maxtime

CVE-2025-26356

Weakness Enumeration

Related Identifiers

Affected Products

References · 9