CVE-2025-26351
Published: 12 February 2025
Summary
CVE-2025-26351 is a medium-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Q-Free Maxtime. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4163
Vulnerability details
A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal allows authenticated remote reading of arbitrary sensitive files, facilitating File and Directory Discovery (T1083) and access to unsecured Credentials in Files (T1552.001).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.