Cyber Resilience

CVE-2025-26346

Medium

Published: 12 February 2025

Published
12 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0018 40.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26346 is a medium-severity SQL Injection (CWE-89) vulnerability in Q-Free Maxtime. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-26346 is a SQL injection vulnerability classified under CWE-89, stemming from improper neutralization of special elements used in an SQL command. It affects Q-Free MaxTime in versions less than or equal to 2.11.0, specifically within the maxprofile/menu/model.lua component at the editUserGroupMenu endpoint. Published on 2025-02-12, the flaw enables an authenticated remote attacker to execute arbitrary SQL commands through crafted HTTP requests.

The vulnerability requires high privileges (PR:H) for exploitation over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). A successful attack can compromise data integrity (I:H) and cause limited availability impact (A:L), but does not affect confidentiality (C:N) or change the scope (S:U). The CVSS v3.1 base score reflects a moderate severity of 5.5.

Mitigation guidance is available in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26346.

EU & UK References

Vulnerability details

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted…

more

HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SQL injection enables arbitrary SQL execution for database data collection/exfiltration (T1213.006), stored data modification/manipulation (T1565.001), and data destruction/deletion (T1485).

CVEs Like This One

CVE-2025-26348Same product: Q-Free Maxtime
CVE-2025-26356Same product: Q-Free Maxtime
CVE-2025-26361Same product: Q-Free Maxtime
CVE-2025-26354Same product: Q-Free Maxtime
CVE-2025-26359Same product: Q-Free Maxtime
CVE-2025-26343Same product: Q-Free Maxtime
CVE-2025-26362Same product: Q-Free Maxtime
CVE-2025-26345Same product: Q-Free Maxtime
CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-1100Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection in the editUserGroupMenu endpoint by requiring validation and neutralization of special elements in HTTP request inputs to SQL commands.

prevent

Ensures timely remediation and patching of the specific SQL injection flaw in maxprofile/menu/model.lua of Q-Free MaxTime <= 2.11.0.

detect

Provides vulnerability scanning to identify SQL injection flaws like CVE-2025-26346 in the affected application.

References