CVE-2025-26346
Published: 12 February 2025
Summary
CVE-2025-26346 is a medium-severity SQL Injection (CWE-89) vulnerability in Q-Free Maxtime. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection in the editUserGroupMenu endpoint by requiring validation and neutralization of special elements in HTTP request inputs to SQL commands.
Ensures timely remediation and patching of the specific SQL injection flaw in maxprofile/menu/model.lua of Q-Free MaxTime <= 2.11.0.
Provides vulnerability scanning to identify SQL injection flaws like CVE-2025-26346 in the affected application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection enables arbitrary SQL execution for database data collection/exfiltration (T1213.006), stored data modification/manipulation (T1565.001), and data destruction/deletion (T1485).
NVD Description
A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted…
more
HTTP requests.
Deeper analysisAI
CVE-2025-26346 is a SQL injection vulnerability classified under CWE-89, stemming from improper neutralization of special elements used in an SQL command. It affects Q-Free MaxTime in versions less than or equal to 2.11.0, specifically within the maxprofile/menu/model.lua component at the editUserGroupMenu endpoint. Published on 2025-02-12, the flaw enables an authenticated remote attacker to execute arbitrary SQL commands through crafted HTTP requests.
The vulnerability requires high privileges (PR:H) for exploitation over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). A successful attack can compromise data integrity (I:H) and cause limited availability impact (A:L), but does not affect confidentiality (C:N) or change the scope (S:U). The CVSS v3.1 base score reflects a moderate severity of 5.5.
Mitigation guidance is available in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26346.
Details
- CWE(s)