CVE-2025-26368 HIGH

CVE-2025-26368

Vendor Q-Free

Product MaxTime

Weakness CWE-862 · Missing authorization

Published February 12, 2025

Last update February 17, 2025

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests.

Key dates

02Disclosure timeline

February 12, 2025 CVE published

February 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-26368 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-49265 WordPress Membership For WooCommerce plugin <= 2.8.1 - Broken Access Control Vulnerability CVE-2025-9637 Quiz and Survey Master (QSM) <= 10.3.1 - Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads CVE-2025-23771 WordPress Push Notification for Post and BuddyPress plugin <= 2.11 - Settings Change vulnerability CVE-2023-41803 WordPress BitPay Checkout for WooCommerce plugin <= 4.1.0 - Broken Access Control vulnerability CVE-2021-44233