Aggregates CVE and security vulnerability intelligence across all QNAP-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk memory corruption, vendor risk cross-site scripting, and vendor risk path handling; exposure may include vendor impact application crash in vendor surface production workloads contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-26241 | A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | [email protected] | 5.3 | 0.14% | 2026-06-10 | 2026-06-12 |
| CVE-2026-26240 | A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | [email protected] | 5.3 | 0.14% | 2026-06-10 | 2026-06-12 |
| CVE-2026-26239 | A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later | [email protected] | 8.7 | 0.13% | 2026-06-10 | 2026-06-12 |
| CVE-2026-26237 | A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later | [email protected] | 8.7 | 0.04% | 2026-06-10 | 2026-06-12 |
| CVE-2026-24724 | An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | [email protected] | 8.6 | 0.04% | 2026-06-10 | 2026-06-12 |
| CVE-2026-24720 | An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | [email protected] | 5.3 | 0.15% | 2026-06-10 | 2026-06-12 |
| CVE-2026-24717 | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later | [email protected] | 5.1 | 0.04% | 2026-06-10 | 2026-06-12 |
| CVE-2026-22899 | A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later | [email protected] | 5.3 | 0.10% | 2026-06-10 | 2026-06-12 |
| CVE-2025-62851 | A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: License Center 1.9.56 and later | [email protected] | 6.9 | 0.04% | 2026-06-10 | 2026-06-12 |
| CVE-2025-66276 | QuTS hero is not affected. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later | [email protected] | 9.2 | 0.04% | 2026-06-10 | 2026-06-12 |
| CVE-2026-44083 | An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later | [email protected] | 8.7 | 0.06% | 2026-06-09 | 2026-06-12 |
| CVE-2025-62858 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later | [email protected] | 5.1 | 0.12% | 2026-06-09 | 2026-06-12 |
| CVE-2026-41539 | A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later | [email protected] | 8.7 | 0.09% | 2026-06-09 | 2026-06-12 |
| CVE-2026-26236 | A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later | [email protected] | 8.7 | 0.04% | 2026-06-09 | 2026-06-12 |
| CVE-2026-22902 | A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | [email protected] | 5.7 | 0.03% | 2026-03-20 | 2026-03-25 |
| CVE-2026-22901 | A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | [email protected] | 6.3 | 0.48% | 2026-03-20 | 2026-03-25 |
| CVE-2026-22900 | A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | [email protected] | 6.8 | 0.23% | 2026-03-20 | 2026-03-25 |
| CVE-2026-22898 | A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later | [email protected] | 9.3 | 0.59% | 2026-03-20 | 2026-04-14 |
| CVE-2026-22897 | A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later | [email protected] | 8.1 | 0.40% | 2026-03-20 | 2026-03-25 |
| CVE-2026-22895 | A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later | [email protected] | 6.2 | 0.07% | 2026-03-20 | 2026-06-09 |