CVE-2025-26354

CVE-2025-26354 is a path traversal vulnerability (CWE-35) in the copy endpoint of maxtime/api/database/database.lua within Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables an authenticated remote attacker to overwrite sensitive files by sending crafted HTTP requests, potentially leading to unauthorized modifications in the system's file structure. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

Exploitation requires high privileges (PR:H), meaning only authenticated users with elevated access, such as administrators, can target the endpoint. A successful attack involves crafting HTTP requests that traverse directory paths to overwrite critical files, which could result in data corruption, privilege escalation, or system compromise depending on the targeted files. The unchanged scope (S:U) suggests the impact remains within the vulnerable component without lateral movement to other systems.

Mitigation details are outlined in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26354, which was referenced alongside the CVE publication on 2025-02-12. Security practitioners should consult this advisory for patching instructions or workarounds specific to Q-Free MaxTime deployments.