CVE-2025-26366 | HackTesting

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.

Credits

Diego Giubertoni of Nozomi Networks found this bug during a security research activity.

Q-Free

References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26366