CVE-2025-26348 Information

Description

A CWE-89 \Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)\ in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests.

Reference

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26348