Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (43 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-26349 1 Q-free 1 Maxtime 2025-07-12 7.2 High
A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.
CVE-2025-26351 1 Q-free 1 Maxtime 2025-07-12 4.9 Medium
A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
CVE-2025-26352 1 Q-free 1 Maxtime 2025-07-12 6.5 Medium
A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
CVE-2025-26354 1 Q-free 1 Maxtime 2025-07-12 7.2 High
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
CVE-2025-26355 1 Q-free 1 Maxtime 2025-07-12 6.5 Medium
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
CVE-2025-26356 1 Q-free 1 Maxtime 2025-07-12 7.2 High
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
CVE-2025-26357 1 Q-free 1 Maxtime 2025-07-12 4.9 Medium
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
CVE-2025-26358 1 Q-free 1 Maxtime 2025-07-12 5.5 Medium
A CWE-20 "Improper Input Validation" in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests.
CVE-2025-26360 1 Q-free 1 Maxtime 2025-07-12 5.3 Medium
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests.
CVE-2025-26361 1 Q-free 1 Maxtime 2025-07-12 9.1 Critical
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.
CVE-2025-26364 1 Q-free 1 Maxtime 2025-07-12 7.5 High
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests.
CVE-2025-26366 1 Q-free 1 Maxtime 2025-07-12 7.5 High
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.
CVE-2025-26370 1 Q-free 1 Maxtime 2025-07-12 7.1 High
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests.
CVE-2025-26373 1 Q-free 1 Maxtime 2025-07-12 6.5 Medium
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.
CVE-2025-26374 1 Q-free 1 Maxtime 2025-07-12 6.5 Medium
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.
CVE-2025-26377 1 Q-free 1 Maxtime 2025-07-12 8.1 High
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests.
CVE-2025-26369 1 Q-free 1 Maxtime 2025-05-27 8.8 High
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.
CVE-2025-26378 1 Q-free 1 Maxtime 2025-04-10 8.8 High
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.
CVE-2025-26367 1 Q-free 1 Maxtime 2025-04-10 4.3 Medium
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests.
CVE-2025-26371 1 Q-free 1 Maxtime 2025-04-10 8.8 High
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.