Vulnerability Details CVE-2025-26356
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.018
EPSS Ranking 82.6%
CVSS Severity
CVSS v3 Score 7.2