CVE-2025-26367 MEDIUM

CVE-2025-26367

Vendor Q-Free

Product MaxTime

Weakness CWE-862 · Missing authorization

Published February 12, 2025

Last update February 17, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests.

Key dates

02Disclosure timeline

February 12, 2025 CVE published

February 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-26367 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-32452 WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control vulnerability CVE-2023-35777 WordPress The Events Calendar plugin <= 6.1.2.2 - Broken Access Control vulnerability CVE-2025-64246 WordPress Accessibility by AudioEye plugin <= 1.0.49 - Broken Access Control vulnerability CVE-2024-8434 Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Settings Updates CVE-2025-41113 Missing Authorization vulnerability in CanalDenuncia.app