Every CVE whose affected-product data names Q-free Maxtime, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (43)
CVE-2025-26344 — CVSS 9.8 (critical): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to…
CVE-2025-26359 — CVSS 9.8 (critical): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-1100 — CVSS 9.8 (critical): A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26339 — CVSS 9.8 (critical): A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0…
CVE-2025-26347 — CVSS 9.8 (critical): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26341 — CVSS 9.8 (critical): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26342 — CVSS 9.8 (critical): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26345 — CVSS 9.8 (critical): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26361 — CVSS 9.1 (critical): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26378 — CVSS 8.8 (high): A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26371 — CVSS 8.8 (high): A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26340 — CVSS 8.8 (high): A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26369 — CVSS 8.8 (high): A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26375 — CVSS 8.8 (high): A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26368 — CVSS 8.1 (high): A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26343 — CVSS 8.1 (high): A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26377 — CVSS 8.1 (high): A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26363 — CVSS 7.5 (high): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26364 — CVSS 7.5 (high): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26366 — CVSS 7.5 (high): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26365 — CVSS 7.5 (high): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26362 — CVSS 7.5 (high): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version…
CVE-2025-26349 — CVSS 7.2 (high): A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26354 — CVSS 7.2 (high): A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0…
CVE-2025-26356 — CVSS 7.2 (high): A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0…
CVE-2025-26370 — CVSS 7.1 (high): A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26372 — CVSS 7.1 (high): A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26352 — CVSS 6.5 (medium): A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated…
CVE-2025-26355 — CVSS 6.5 (medium): A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26373 — CVSS 6.5 (medium): A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0…
CVE-2025-26374 — CVSS 6.5 (medium): A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0…
CVE-2025-26376 — CVSS 6.5 (medium): A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-1102 — CVSS 5.5 (medium): A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26346 — CVSS 5.5 (medium): A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua…
CVE-2025-26348 — CVSS 5.5 (medium): A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu…
CVE-2025-26358 — CVSS 5.5 (medium): A CWE-15 "External Control of System or Configuration Setting" in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-1101 — CVSS 5.3 (medium): A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26360 — CVSS 5.3 (medium): A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to…
CVE-2025-26351 — CVSS 4.9 (medium): A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated…
CVE-2025-26357 — CVSS 4.9 (medium): A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2025-26353 — CVSS 4.9 (medium): A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote…
CVE-2025-26350 — CVSS 4.9 (medium): A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version…
CVE-2025-26367 — CVSS 4.3 (medium): A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an…