Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

q-free maxtime vulnerabilities and exploits

(subscribe to this query)
9.8
CVSSv3

CVE-2025-1100

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to execute arbitrary code with root privileges via SSH.
Q-free Maxtime
5.3
CVSSv3

CVE-2025-1101

A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to enumerate valid usernames via crafted HTTP requests.
Q-free Maxtime
5.5
CVSSv3

CVE-2025-1102

A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests.
Q-free Maxtime
9.8
CVSSv3

CVE-2025-26339

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to affect the device confidentiality, integrity, or availability in multiple unspec...
Q-free Maxtime
8.8
CVSSv3

CVE-2025-26340

A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to bypass the authentication via crafted HTTP requests.
Q-free Maxtime
9.8
CVSSv3

CVE-2025-26341

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to reset arbitrary user passwords via crafted HTTP requests.
Q-free Maxtime
9.8
CVSSv3

CVE-2025-26342

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to create arbitrary users, including administrators, via crafted HTTP reques...
Q-free Maxtime
8.1
CVSSv3

CVE-2025-26343

A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to brute-force user PINs via multiple crafted HTTP requests.
Q-free Maxtime
9.8
CVSSv3

CVE-2025-26344

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to enable passwordless guest mode via crafted HTTP requests.
Q-free Maxtime
9.8
CVSSv3

CVE-2025-26345

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote malicious user to edit user group permissions via crafted HTTP requests.
Q-free Maxtime
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
CVE-2025-42599CVE-2025-3808phpgurukulinsecure direct object referenceCVE-2025-3840CVE-2025-43967men salon management systemdenial of servicevirtuemart component for joomlapritunlLFICVE-2025-32433CVE-2022-47112
Home
/
Search Results
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook