Path Traversal Vulnerability in Q-Free MaxTime Product
CVE-2025-26355

6.5MEDIUM

Key Information:

Vendor: Q-free
Status: Maxtime
Vendor: CVE Published:; 12 February 2025

Summary

A path traversal vulnerability exists in the Q-Free MaxTime product, specifically in the 'maxtime/api/database/database.lua' component. This flaw allows an authenticated remote attacker to manipulate HTTP requests in a way that could lead to the deletion of sensitive files on the server. The issue impacts all versions of MaxTime up to and including version 2.11.0, exposing the affected systems to potential data breaches and operational risks.

Affected Version(s)

MaxTime 0 <= 2.11.0

References

https://www.nozominetworks.com/labs/vulnerability-advisor...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Feb 7, 2025

Credit

Diego Giubertoni of Nozomi Networks found this bug during a security research activity.