CVE-2025-26346

MEDIUM Year: 2025
CVSS v3 Score
5.5
Medium
Weakness Type
CWE-89
View all →

Vulnerability Description

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests.

Related Vulnerabilities

CVE-2017-20195

MEDIUM
CVSS:5.5(Medium)

A vulnerability was found in LUNAD3v AreaLoad up to 1a1103182ed63a06dde63d1712f3262eda19c3ec. It has been rated as critical. This issue affects some unknown processing of the file request.php. The man...

CWE-892017

CVE-2018-9493

MEDIUM
CVSS:5.5(Medium)

In the content provider of the download manager, there is a possible SQL injection due to improper input validation. This could lead to local information disclosure with no additional execution privil...

CWE-892018

CVE-2019-19850

MEDIUM
CVSS:5.5(Medium)

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injec...

CWE-892019

CVE-2019-2196

MEDIUM
CVSS:5.5(Medium)

In Download Provider, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.P...

CWE-892019

CVE-2019-2198

MEDIUM
CVSS:5.5(Medium)

In Download Provider, there is a possible SQL injection vulnerability. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed fo...

CWE-892019

CVE-2020-0344

MEDIUM
CVSS:5.5(Medium)

In MediaProvider, there is a possible permissions bypass due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not n...

CWE-892020