CVE-2025-26346 Information

Description

A CWE-89 \Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)\ in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests.

Reference

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26346

Related CNNVD

CNNVD-202507-3034 (Published: 2025-07-23)