CVE-2025-26346 – This SQL injection vulnerability in Q-Free MaxT... (How to Fix)

Q: What is the severity of CVE-2025-26346?

CVE-2025-26346 has a CVSS score of 5.5 (MEDIUM). This SQL injection vulnerability in Q-Free MaxTime allows authenticated attackers to execute arbitrary SQL commands via crafted HTTP requests to the editUserGroupMenu endpoint. It affects all versions up to and including 2.11.0. Attackers could potentially read, modify, or delete database contents.

📋 TL;DR

This SQL injection vulnerability in Q-Free MaxTime allows authenticated attackers to execute arbitrary SQL commands via crafted HTTP requests to the editUserGroupMenu endpoint. It affects all versions up to and including 2.11.0. Attackers could potentially read, modify, or delete database contents.

💻 Affected Systems

Products:

Q-Free MaxTime

Versions: All versions ≤ 2.11.0

Operating Systems: Any OS running MaxTime

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the MaxTime web interface.

📦 What is this software?

Maxtime by Q Free

View all CVEs affecting Maxtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or system takeover via SQL command execution.

🟠

Likely Case

Unauthorized data access, privilege escalation within the application, or database manipulation.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH if the MaxTime web interface is exposed to the internet, as authenticated attackers can exploit remotely.

🏢 Internal Only: MEDIUM for internal networks, requiring authenticated access but posing significant risk to database integrity.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses standard SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version > 2.11.0

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26346

Restart Required: Yes

Instructions:

1. Upgrade MaxTime to version above 2.11.0. 2. Apply vendor-provided patches if available. 3. Restart MaxTime services.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall rules or input validation to block SQL injection patterns.

Network Segmentation

all

Restrict access to MaxTime web interface to trusted IP addresses only.

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in the application code.
Deploy a web application firewall (WAF) with SQL injection protection rules.

🔍 How to Verify

Check if Vulnerable:

Check MaxTime version via web interface or configuration files. If version ≤ 2.11.0, assume vulnerable.

Check Version:

Check MaxTime web interface admin panel or configuration files for version information.

Verify Fix Applied:

Verify version is > 2.11.0 and test editUserGroupMenu endpoint with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by editUserGroupMenu requests
HTTP requests with SQL keywords to editUserGroupMenu endpoint

Network Indicators:

HTTP POST requests to /editUserGroupMenu with SQL injection patterns
Unusual database traffic from MaxTime application server

SIEM Query:

source="MaxTime" AND (url="*editUserGroupMenu*" AND (payload="*SELECT*" OR payload="*UNION*" OR payload="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2025-26346

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-89

EPSS Score: 0.41% exploit probability (60.9th percentile)

Published: February 12, 2025

Last Updated: October 24, 2025

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26346 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26346, you might also want to check these: