QNAP
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any QNAP product.
RSS Feeds for QNAP security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in QNAP products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by QNAP Sorted by Most Security Vulnerabilities since 2018
Known Exploited QNAP Vulnerabilities
The following QNAP vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| QNAP VioStor NVR OS Command Injection Vulnerability |
QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network. CVE-2023-47565 Exploit Probability: 86.7% |
December 21, 2023 |
| QNAP Photo Station Externally Controlled Reference Vulnerability |
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign. CVE-2022-27593 Exploit Probability: 93.8% |
September 8, 2022 |
| QNAP Photo Station Path Traversal Vulnerability |
QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. CVE-2019-7195 Exploit Probability: 94.1% |
June 8, 2022 |
| QNAP Photo Station Path Traversal Vulnerability |
QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. CVE-2019-7194 Exploit Probability: 93.9% |
June 8, 2022 |
| QNAP QTS Improper Input Validation Vulnerability |
QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. CVE-2019-7193 Exploit Probability: 25.8% |
June 8, 2022 |
| QNAP Photo Station Improper Access Control Vulnerability |
QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. CVE-2019-7192 Exploit Probability: 94.3% |
June 8, 2022 |
| QNAP NAS File Station Cross-Site Scripting Vulnerability |
A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. CVE-2018-19953 Exploit Probability: 31.5% |
May 24, 2022 |
| QNAP NAS File Station Command Injection Vulnerability |
A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands. CVE-2018-19949 Exploit Probability: 44.2% |
May 24, 2022 |
| QNAP NAS File Station Cross-Site Scripting Vulnerability |
A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. CVE-2018-19943 Exploit Probability: 7.0% |
May 24, 2022 |
| QNAP Network-Attached Storage (NAS) Command Injection Vulnerability |
QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. CVE-2020-2509 Exploit Probability: 84.0% |
April 11, 2022 |
| QNAP NAS Improper Authorization Vulnerability |
QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device. CVE-2021-28799 Exploit Probability: 92.4% |
March 31, 2022 |
Of the known exploited vulnerabilities above, 7 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 3 known exploited QNAP vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 97 vulnerabilities in QNAP. Last year, in 2025 QNAP had 86 security vulnerabilities published. That is, 11 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 97 | 0.00 |
| 2025 | 86 | 8.00 |
| 2024 | 118 | 7.24 |
| 2023 | 37 | 7.11 |
| 2022 | 19 | 8.46 |
| 2021 | 31 | 8.05 |
| 2020 | 18 | 7.21 |
| 2019 | 7 | 7.94 |
| 2018 | 26 | 6.60 |
It may take a day or so for new QNAP vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent QNAP Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-26240 | Jun 10, 2026 |
File Station 5 Buffer Overflow (fixed v5.5.6.5243)A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later |
File Station
|
| CVE-2026-26241 | Jun 10, 2026 |
File Station 5 Buffer Overflow (pre-5.5.6.5243) Remote Memory CorruptionA buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later |
File Station
|
| CVE-2026-24724 | Jun 10, 2026 |
QNAP File Station <=5.5.6.5243 Auth Bypass via Wrong AuthorizationAn incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later |
File Station
|
| CVE-2026-26239 | Jun 10, 2026 |
File Station 5 Buffer Overflow via Remote User Fixed in 5.5.6.5208A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later |
File Station
|
| CVE-2026-26237 | Jun 10, 2026 |
QuMagie: Missing Auth Unauth Data Access, fixed v2.9.0A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later |
Qumagie
|
| CVE-2026-24719 | Jun 10, 2026 |
Cmd Injection in QTS 5.2.9 (pre-20260507) & QuTS hero (pre-20260514)A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later |
Qts
Quts Hero
|
| CVE-2026-24717 | Jun 10, 2026 |
QNAP QTS/QuTS Hero path traversal CVE-2026-24717 before 5.2.9.3492A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later |
Qts
Quts Hero
|
| CVE-2026-24716 | Jun 10, 2026 |
QNAP QTS DoS via NULL ptr in 5.2.9.3492+A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later |
Qts
Quts Hero
|
| CVE-2026-24720 | Jun 10, 2026 |
QNAP File Station 6 Unbounded Resource Allocation DoSAn allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later |
File Station
|
| CVE-2026-22899 | Jun 10, 2026 |
File Station 6 NULL PTR DoS (fixed 5.5.6.5208+)A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later |
File Station
|
| CVE-2026-22893 | Jun 10, 2026 |
CmdInject in QNAP QTS/QuTS before 5.2.9.3410A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later |
Qts
Quts Hero
|
| CVE-2025-66281 | Jun 10, 2026 |
QNAP QTS Null Ptr Deref DoS (pre 5.2.9.3410, fixed in 5.2.9.3410)A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later |
Qts
Quts Hero
|
| CVE-2025-66280 | Jun 10, 2026 |
QNAP QTS/QuTS Integer Overflow (Admin) CVE-2025-66280 Fixed v5.2.9.3410+An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later |
Qts
Quts Hero
|
| CVE-2025-66279 | Jun 10, 2026 |
Command Injection in QNAP QTS/QuTS Hero (5.2.9.3410, 5.3.4.3500)A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later |
Qts
Quts Hero
|
| CVE-2025-66273 | Jun 10, 2026 |
QTS/QuTS Hero cmd injection CVE202566273 before 5.2.9.3410A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later |
Qts
Quts Hero
|
| CVE-2025-62851 | Jun 10, 2026 |
License Center PT (pre1.9.56) fixed in 1.9.56A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: License Center 1.9.56 and later |
|
| CVE-2025-62850 | Jun 10, 2026 |
QNAP QuTS hero NULL ptr DoS (pre 5.3.4/6.0)A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later |
Quts Hero
|
| CVE-2025-58468 | Jun 10, 2026 |
CSRF in QNAP Notification Center <1.10.0.3291A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291 and later |
|
| CVE-2025-59382 | Jun 10, 2026 |
QNAP CVE-2025-59382 Fix ImplementedQTS, QuTS hero, QuTScloud are not affected. We have already fixed the vulnerability in the following version: |
Qts
Quts Hero
Qutscloud
And others... |
| CVE-2026-44083 | Jun 09, 2026 |
QuMagie <2.9.1 Auth Bypass via User-Controlled KeyAn authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later |
Qumagie
|
| CVE-2025-62858 | Jun 09, 2026 |
Buffer Overflow in QNAP OS (pre-5.2.9.3410, pre-5.3.4.3500, pre-6.0.0.3397)A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later |
Qts
Quts Hero
|
| CVE-2026-41539 | Jun 09, 2026 |
XSS in QNAP QTS/QuTS hero before 5.2.9.3492A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later |
Qts
Quts Hero
|
| CVE-2026-26236 | Jun 09, 2026 |
Missing Auth in QuMagie 2.9.0 Fixed (CVE-2026-26236)A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later |
Qumagie
|
| CVE-2025-59383 | Mar 20, 2026 |
Buffer Overflow in Media Streaming Add-On <500.1.1 (QNAP)A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Media Streaming Add-on 500.1.1 and later |
|
| CVE-2025-62843 | Mar 20, 2026 |
QuRouter 2.x - Improper Channel Endpoint Restriction (Physical Access)An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later |
|
| CVE-2025-62844 | Mar 20, 2026 |
QHora Weak Auth Vulnerability (QuRouter <2.6.2.007), fixed 2.6.2.007A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later |
|
| CVE-2025-62845 | Mar 20, 2026 |
Escape Sequence Issue in QRouter 2.6.3.009 (QHora) Local Admin ExploitAn improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later |
|
| CVE-2025-62846 | Mar 20, 2026 |
SQLi in QHora PreQuRouter 2.6.2.007An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later |
|
| CVE-2026-22895 | Mar 20, 2026 |
Cross-Site Scripting (XSS) in QuFTP Service before 1.6.2A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later |
|
| CVE-2026-22897 | Mar 20, 2026 |
Command Injection in QuNetSwitch v<2.0.4.0415A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later |
|
| CVE-2026-22898 | Mar 20, 2026 |
Missing Auth on Critical Function in QVR Pro before 2.7.4.14A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later |
Qvr Pro
|
| CVE-2026-22900 | Mar 20, 2026 |
CVE-2026-22900: QuNetSwitch 2.0.5.0906 Fixed Hard-Coded CredentialsA use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later |
|
| CVE-2026-22901 | Mar 20, 2026 |
Cmd Injection in QuNetSwitch 2.0.5.0906+ (fixed)A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later |
|
| CVE-2026-22902 | Mar 20, 2026 |
QuNetSwitch 2.0.5.0906+ Command Injection (CVE-2026-22902)A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later |
|
| CVE-2025-59388 | Mar 12, 2026 |
Hyper Data Protector < 2.3.1.455 Hard-Coded Password VulnerabilityA use of hard-coded password vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: Hyper Data Protector 2.3.1.455 and later |
|
| CVE-2024-14026 | Mar 11, 2026 |
Command Injection in QTS / QuTS OS before 5.1.9.2954 (fixed in 5.2.3.3006)A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later |
Qts
Quts Hero
|
| CVE-2024-14025 | Mar 11, 2026 |
Video Station SQLi RCE, fixed v5.8.2 (admin local)An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later |
Video Station
|
| CVE-2024-14024 | Mar 11, 2026 |
Video Station 5.8.2 Improper Cert Validation CVE-2024-14024 (QNAP)An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later |
Video Station
|
| CVE-2024-56807 | Feb 11, 2026 |
Media Streaming add-on OBRead CVE-2024-56807 vuln before 500.1.1.6An out-of-bounds read vulnerability has been reported to affect Media Streaming add-on. If an attacker gains local network access, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later |
|
| CVE-2024-56808 | Feb 11, 2026 |
Command Injection in Media Streaming Add-on <=500.1.1.5A command injection vulnerability has been reported to affect Media Streaming add-on. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later |
|
| CVE-2025-30266 | Feb 11, 2026 |
Null Pointer DoS in Qsync Central <5.0.0.4A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-30269 | Feb 11, 2026 |
Ext-Cont-Format-String Vuln in Qsync Central <5.0.0.4 (CVE-2025-30269)A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-30276 | Feb 11, 2026 |
Qsync Central OOB Write Before v5.0.0.4 Remote Account ExploitAn out-of-bounds write vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify or corrupt memory. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-47205 | Feb 11, 2026 |
QNAP QTS <=5.2.8.3332 NULL PTR DoS VulnerabilityA NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later |
Qts
Quts Hero
|
| CVE-2025-47209 | Feb 11, 2026 |
Qsync Central NullPtr DoS (pre-5.0.0.4)A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-48722 | Feb 11, 2026 |
Qsync Central <5.0.0.4: NULL ptr deref DoS (CVE-2025-48722)A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-48723 | Feb 11, 2026 |
Qsync Central <5.0.0.4 Buffer Overflow Remote Exploit via User AccountA buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-48724 | Feb 11, 2026 |
Qsync Central Buffer Overflow 5.0.0.3A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-48725 | Feb 11, 2026 |
QNAP OS pre-5.3.2.3354 buffer overflow remote AS userA buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QuTS hero h5.3.2.3354 build 20251225 and later |
Quts Hero
|
| CVE-2025-52868 | Feb 11, 2026 |
Qsync Central Buffer Overflow (before 5.0.0.4)A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|