QNAP
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any QNAP product.
RSS Feeds for QNAP security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in QNAP products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by QNAP Sorted by Most Security Vulnerabilities since 2018
Known Exploited QNAP Vulnerabilities
The following QNAP vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| QNAP VioStor NVR OS Command Injection Vulnerability |
QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network. CVE-2023-47565 Exploit Probability: 86.0% |
December 21, 2023 |
| QNAP Photo Station Externally Controlled Reference Vulnerability |
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign. CVE-2022-27593 Exploit Probability: 93.0% |
September 8, 2022 |
| QNAP Photo Station Path Traversal Vulnerability |
QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. CVE-2019-7195 Exploit Probability: 94.1% |
June 8, 2022 |
| QNAP Photo Station Path Traversal Vulnerability |
QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. CVE-2019-7194 Exploit Probability: 93.9% |
June 8, 2022 |
| QNAP QTS Improper Input Validation Vulnerability |
QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. CVE-2019-7193 Exploit Probability: 25.8% |
June 8, 2022 |
| QNAP Photo Station Improper Access Control Vulnerability |
QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. CVE-2019-7192 Exploit Probability: 94.3% |
June 8, 2022 |
| QNAP NAS File Station Cross-Site Scripting Vulnerability |
A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. CVE-2018-19953 Exploit Probability: 31.5% |
May 24, 2022 |
| QNAP NAS File Station Command Injection Vulnerability |
A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands. CVE-2018-19949 Exploit Probability: 44.2% |
May 24, 2022 |
| QNAP NAS File Station Cross-Site Scripting Vulnerability |
A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. CVE-2018-19943 Exploit Probability: 5.5% |
May 24, 2022 |
| QNAP Network-Attached Storage (NAS) Command Injection Vulnerability |
QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. CVE-2020-2509 Exploit Probability: 85.0% |
April 11, 2022 |
| QNAP NAS Improper Authorization Vulnerability |
QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device. CVE-2021-28799 Exploit Probability: 91.1% |
March 31, 2022 |
Of the known exploited vulnerabilities above, 7 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 3 known exploited QNAP vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 61 vulnerabilities in QNAP. Last year, in 2025 QNAP had 86 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in QNAP in 2026 could surpass last years number.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 61 | 0.00 |
| 2025 | 86 | 8.00 |
| 2024 | 118 | 7.24 |
| 2023 | 37 | 7.11 |
| 2022 | 19 | 8.46 |
| 2021 | 31 | 8.05 |
| 2020 | 18 | 7.21 |
| 2019 | 7 | 7.94 |
| 2018 | 26 | 6.60 |
It may take a day or so for new QNAP vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent QNAP Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2024-14026 | Mar 11, 2026 |
Command Injection in QTS / QuTS OS before 5.1.9.2954 (fixed in 5.2.3.3006)A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later |
Qts
Quts Hero
|
| CVE-2024-14025 | Mar 11, 2026 |
Video Station SQLi RCE, fixed v5.8.2 (admin local)An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later |
Video Station
|
| CVE-2024-14024 | Mar 11, 2026 |
Video Station 5.8.2 Improper Cert Validation CVE-2024-14024 (QNAP)An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later |
Video Station
|
| CVE-2024-56807 | Feb 11, 2026 |
Media Streaming add-on OBRead CVE-2024-56807 vuln before 500.1.1.6An out-of-bounds read vulnerability has been reported to affect Media Streaming add-on. If an attacker gains local network access, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later |
|
| CVE-2024-56808 | Feb 11, 2026 |
Command Injection in Media Streaming Add-on <=500.1.1.5A command injection vulnerability has been reported to affect Media Streaming add-on. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later |
|
| CVE-2025-30266 | Feb 11, 2026 |
Null Pointer DoS in Qsync Central <5.0.0.4A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-30269 | Feb 11, 2026 |
Ext-Cont-Format-String Vuln in Qsync Central <5.0.0.4 (CVE-2025-30269)A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-30276 | Feb 11, 2026 |
Qsync Central OOB Write Before v5.0.0.4 Remote Account ExploitAn out-of-bounds write vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify or corrupt memory. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-47205 | Feb 11, 2026 |
QNAP QTS <=5.2.8.3332 NULL PTR DoS VulnerabilityA NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later |
Qts
Quts Hero
|
| CVE-2025-47209 | Feb 11, 2026 |
Qsync Central NullPtr DoS (pre-5.0.0.4)A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-48722 | Feb 11, 2026 |
Qsync Central <5.0.0.4: NULL ptr deref DoS (CVE-2025-48722)A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-48723 | Feb 11, 2026 |
Qsync Central <5.0.0.4 Buffer Overflow Remote Exploit via User AccountA buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-48724 | Feb 11, 2026 |
Qsync Central Buffer Overflow 5.0.0.3A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-48725 | Feb 11, 2026 |
QNAP OS pre-5.3.2.3354 buffer overflow remote AS userA buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QuTS hero h5.3.2.3354 build 20251225 and later |
Quts Hero
|
| CVE-2025-52868 | Feb 11, 2026 |
Qsync Central Buffer Overflow (before 5.0.0.4)A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-52869 | Feb 11, 2026 |
Buffer Overflow in Qsync Central <5.0.0.4 - Remote User Account ExploitA buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-52870 | Feb 11, 2026 |
Buffer Overflow in Qsync Central 5.0.0.3 and Earlier Enables Remote CrashA buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-53598 | Feb 11, 2026 |
Null Pointer Deref. in Qsync Central (pre-5.0.0.4) Remote DoSA NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-54146 | Feb 11, 2026 |
Qsync Central 5.0.0.4+ Fixed: NULL Pointer Deref DoS via Authenticated UserA NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-54147 | Feb 11, 2026 |
Qsync Central NULL PTR DoS Vulnerability (Qsync Central 5.0.0.3 and earlier)A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-54148 | Feb 11, 2026 |
Qsync Central 5.0.0.4 patch for NULL pointer DoS vulnerability CVE-2025-54148A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-54149 | Feb 11, 2026 |
Uncontrolled Resource Consumption in Qsync Central <5.0.0.4 DoS by Local AttackerAn uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a local attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-54150 | Feb 11, 2026 |
Uncontrolled Resource Consumption Qsync Central 5.0.0.4 DoSAn uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a local attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-54151 | Feb 11, 2026 |
Uncontrolled Resource Consumption DoS in Qsync Central <5.0.0.4An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a local attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-54152 | Feb 11, 2026 |
Out-of-Range Pointer Offset in Qsync Central 5.0.0.4 Allows Memory ReadA use of out-of-range pointer offset vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read sensitive portions of memory. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-54155 | Feb 11, 2026 |
OOM Resource Allocation in File Station 5 before 5.5.6.5018An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later |
File Station
|
| CVE-2025-54161 | Feb 11, 2026 |
Resource Allocation DoS in Synology File Station 5 (Fixed 5.5.6.5068)An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5068 and later |
File Station
|
| CVE-2025-54162 | Feb 11, 2026 |
File Station 5 Path Traversal CVE-2025-54162 (before 5.5.6.5068)A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5068 and later |
File Station
|
| CVE-2025-54163 | Feb 11, 2026 |
File Station 5 NULL Pointer Deref DoS (Admin) Fixed in 5.5.6.5166A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later |
File Station
|
| CVE-2025-54169 | Feb 11, 2026 |
Out-of-bounds Read in Synology File Station 5 before 5.5.6.5068An out-of-bounds read vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5068 and later |
File Station
|
| CVE-2025-54170 | Feb 11, 2026 |
Qsync Central 5.0.0.3 OOB Read Remote ExploitAn out-of-bounds read vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-57707 | Feb 11, 2026 |
File Station 5 Static Code Injection Before 5.5.6.5166An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to access restricted data / files. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later |
File Station
|
| CVE-2025-57708 | Feb 11, 2026 |
Qsync Central 5.0.0.4 Fix: Unbounded Resource Allocation DoSAn allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-57709 | Feb 11, 2026 |
Qsync Central 5.0.0.3: Remote Buffer Overflow Exploitable via User AccountA buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-57710 | Feb 11, 2026 |
Res Alloc DoS Qsync Central 5.0.0.4 FixedAn allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-57711 | Feb 11, 2026 |
Resource Allocation DoS via Admin in Qsync Central 5.0.0.4An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-57713 | Feb 11, 2026 |
Synology File Station 5 weak auth flaw (CVE-2025-57713) fixed in 5.5.6.5166A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later |
File Station
|
| CVE-2025-58466 | Feb 11, 2026 |
QTS 5.2.8.3332 Build DoS via Uninitialized VariableA use of uninitialized variable vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to denial of service conditions, or modify control flow in unexpected ways. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later |
Qts
Quts Hero
|
| CVE-2025-58467 | Feb 11, 2026 |
Qsync Central 5.0 < 5.0.0.4 Path Traversal LFI RemoteA relative path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-58470 | Feb 11, 2026 |
Qsync Central <5.0.0.4 Path Traversal - arbitrary file readA path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-58471 | Feb 11, 2026 |
Resource Throttling DoS in Qsync Central <5.2.0.1 via Admin AccessAn allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.2.0.1 ( 2025/12/21 ) and later |
Qsync Central
|
| CVE-2025-58472 | Feb 11, 2026 |
Null Pointer Dref in Qsync Central <5.0.0.4 (CVE-2025-58472) DoSA NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later |
Qsync Central
|
| CVE-2025-59386 | Feb 11, 2026 |
QNAP OS NULL Pointer Deref DoS via Admin Remote (pre-5.3.2.3354)A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: QuTS hero h5.3.2.3354 build 20251225 and later |
Quts Hero
|
| CVE-2025-62853 | Feb 11, 2026 |
File Station 5 Path Traversal (CVE-2025-62853) reads files (fixed 5.5.6.5166)A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later |
File Station
|
| CVE-2025-62854 | Feb 11, 2026 |
Uncontrolled Resource Consumption in Synology File Station 5 (<5.5.6.5190) DoSAn uncontrolled resource consumption vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later |
File Station
|
| CVE-2025-62855 | Feb 11, 2026 |
File Station 5 Path Traversal Fix v5.5.6.5190A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later |
File Station
|
| CVE-2025-62856 | Feb 11, 2026 |
File Station 5 Path Traversal <5.5.6.5190 Local Admin Can Read FilesA path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later |
File Station
|
| CVE-2025-66274 | Feb 11, 2026 |
QNAP QuTS hero OS <=5.3.2.3354 NULL Pointer DoSA NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: QuTS hero h5.3.2.3354 build 20251225 and later |
Quts Hero
|
| CVE-2025-66277 | Feb 11, 2026 |
QNAP QTS/QuTS Hero: Link Following Path Traversal (pre-5.2.8/5.3.2)A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3350 build 20251216 and later QuTS hero h5.3.2.3354 build 20251225 and later QuTS hero h5.2.8.3350 build 20251216 and later |
Qts
Quts Hero
|
| CVE-2025-66278 | Feb 11, 2026 |
File Station 5 path traversal allows remote file read - fixed in 5.5.6.5190A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later |
File Station
|