Qnap
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Qnap product.
RSS Feeds for Qnap security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Qnap products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Qnap Sorted by Most Security Vulnerabilities since 2018
Known Exploited Qnap Vulnerabilities
The following Qnap vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| QNAP VioStor NVR OS Command Injection Vulnerability |
QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network. CVE-2023-47565 Exploit Probability: 80.9% |
December 21, 2023 |
| QNAP Photo Station Externally Controlled Reference Vulnerability |
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign. CVE-2022-27593 Exploit Probability: 93.6% |
September 8, 2022 |
| QNAP Photo Station Path Traversal Vulnerability |
QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. CVE-2019-7195 Exploit Probability: 89.0% |
June 8, 2022 |
| QNAP Photo Station Path Traversal Vulnerability |
QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. CVE-2019-7194 Exploit Probability: 93.1% |
June 8, 2022 |
| QNAP QTS Improper Input Validation Vulnerability |
QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. CVE-2019-7193 Exploit Probability: 56.0% |
June 8, 2022 |
| QNAP Photo Station Improper Access Control Vulnerability |
QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. CVE-2019-7192 Exploit Probability: 94.3% |
June 8, 2022 |
| QNAP NAS File Station Cross-Site Scripting Vulnerability |
A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. CVE-2018-19953 Exploit Probability: 40.1% |
May 24, 2022 |
| QNAP NAS File Station Command Injection Vulnerability |
A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands. CVE-2018-19949 Exploit Probability: 57.6% |
May 24, 2022 |
| QNAP NAS File Station Cross-Site Scripting Vulnerability |
A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. CVE-2018-19943 Exploit Probability: 5.8% |
May 24, 2022 |
| QNAP Network-Attached Storage (NAS) Command Injection Vulnerability |
QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. CVE-2020-2509 Exploit Probability: 86.9% |
April 11, 2022 |
| QNAP NAS Improper Authorization Vulnerability |
QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device. CVE-2021-28799 Exploit Probability: 88.8% |
March 31, 2022 |
Of the known exploited vulnerabilities above, 7 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 3 known exploited Qnap vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2025 there have been 10 vulnerabilities in Qnap with an average score of 7.8 out of ten. Last year, in 2024 Qnap had 91 security vulnerabilities published. Right now, Qnap is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.56.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 10 | 7.82 |
| 2024 | 91 | 7.26 |
| 2023 | 37 | 7.16 |
| 2022 | 18 | 8.37 |
| 2021 | 30 | 8.07 |
| 2020 | 18 | 7.07 |
| 2019 | 6 | 8.25 |
| 2018 | 17 | 7.84 |
It may take a day or so for new Qnap vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Qnap Security Vulnerabilities
An out-of-bounds read vulnerability has been reported to affect File Station 5
CVE-2025-29871
5.5 - Medium
- June 06, 2025
An out-of-bounds read vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
Out-of-bounds Read
An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5
CVE-2025-29872
7.5 - High
- June 06, 2025
An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
Allocation of Resources Without Limits or Throttling
A NULL pointer dereference vulnerability has been reported to affect File Station 5
CVE-2025-29873
7.5 - High
- June 06, 2025
A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
NULL Pointer Dereference
A NULL pointer dereference vulnerability has been reported to affect File Station 5
CVE-2025-29876
7.5 - High
- June 06, 2025
A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
NULL Pointer Dereference
A NULL pointer dereference vulnerability has been reported to affect File Station 5
CVE-2025-29877
7.5 - High
- June 06, 2025
A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
NULL Pointer Dereference
An improper certificate validation vulnerability has been reported to affect File Station 5
CVE-2025-29884
8.8 - High
- June 06, 2025
An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later
Improper Certificate Validation
An improper certificate validation vulnerability has been reported to affect File Station 5
CVE-2025-29885
8.8 - High
- June 06, 2025
An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later
Improper Certificate Validation
An improper certificate validation vulnerability has been reported to affect File Station 5
CVE-2025-22486
8.8 - High
- June 06, 2025
An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later
Improper Certificate Validation
A NULL pointer dereference vulnerability has been reported to affect File Station 5
CVE-2025-22490
7.5 - High
- June 06, 2025
A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
NULL Pointer Dereference
An improper certificate validation vulnerability has been reported to affect File Station 5
CVE-2025-29883
8.8 - High
- June 06, 2025
An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later
Improper Certificate Validation
QNAP OS Improper Certificate Validation Vulnerability
CVE-2024-48865
- December 06, 2024
An improper certificate validation vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow attackers with local network access to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later
Improper Certificate Validation
QNAP OS URL Encoding Vulnerability
CVE-2024-48866
- December 06, 2024
An improper handling of URL encoding (Hex Encoding) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later
Hex Encoding
QNAP OS: CRLF Injection Vulnerability in HTTP Headers
CVE-2024-48867
- December 06, 2024
An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later
CRLF Injection
QNAP OS CRLF Injection Vulnerability in HTTP Headers
CVE-2024-48868
- December 06, 2024
An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later
CRLF Injection
QNAP NAS SQL Injection Vulnerability in SMB Service
CVE-2024-50387
- December 06, 2024
A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to inject malicious code. We have already fixed the vulnerability in the following version: SMB Service 4.15.002 and later SMB Service h4.15.002 and later
SQL Injection
QNAP OS Command Injection Vulnerability
CVE-2024-50393
- December 06, 2024
A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later
Shell injection
QNAP OS Format String Vulnerability in QTS and QuTS hero
CVE-2024-50402
- December 06, 2024
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later
Use of Externally-Controlled Format String
QNAP OS: Remote Code Execution via Format String Vulnerability
CVE-2024-50403
- December 06, 2024
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.2.2.2952 build 20241116 and later
Use of Externally-Controlled Format String
QNAP Operating System: Remote Link Following Vulnerability
CVE-2024-53691
- December 06, 2024
A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QTS 5.2.0.2802 build 20240620 and later QuTS hero h5.1.8.2823 build 20240712 and later QuTS hero h5.2.0.2802 build 20240620 and later
insecure temporary file
An improper restriction of excessive authentication attempts vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-32771
2.4 - Low
- September 06, 2024
An improper restriction of excessive authentication attempts vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network authenticated administrators to perform an arbitrary number of authentication attempts via unspecified vectors. QuTScloud is not affected. We have already fixed the vulnerability in the following versions: QTS 5.2.0.2782 build 20240601 and later QuTS hero h5.2.0.2782 build 20240601 and later
Improper Restriction of Excessive Authentication Attempts
A path traversal vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-21904
6.5 - Medium
- September 06, 2024
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later
Directory traversal
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-21903
4.7 - Medium
- September 06, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
Shell injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-21898
8.8 - High
- September 06, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
Shell injection
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-21897
5.4 - Medium
- September 06, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
XSS
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-51368
6.5 - Medium
- September 06, 2024
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to launch a denial-of-service (DoS) attack via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
NULL Pointer Dereference
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-51367
8.8 - High
- September 06, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
Classic Buffer Overflow
A path traversal vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-51366
6.5 - Medium
- September 06, 2024
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
Directory traversal
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-50366
4.8 - Medium
- September 06, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
XSS
A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center
CVE-2024-32762
6.1 - Medium
- September 06, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QuLog Center 1.8.0.872 ( 2024/06/17 ) and later QuLog Center 1.7.0.827 ( 2024/06/17 ) and later
XSS
A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3
CVE-2024-27126
5.4 - Medium
- September 06, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: Notes Station 3 3.9.6 and later
XSS
A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk
CVE-2024-27125
4.8 - Medium
- September 06, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following version: Helpdesk 3.3.1 and later
XSS
A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3
CVE-2024-27122
5.4 - Medium
- September 06, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: Notes Station 3 3.9.6 and later
XSS
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-34974
8.8 - High
- September 06, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. QuTScloud, QVR, QES are not affected. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2790 build 20240605 and later QuTS hero h4.5.4.2626 build 20231225 and later
Shell injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-38641
7.8 - High
- September 06, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later
Shell injection
A cross-site scripting (XSS) vulnerability has been reported to affect Download Station
CVE-2024-38640
5.4 - Medium
- September 06, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Download Station 5.8.6.283 ( 2024/06/21 ) and later
XSS
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-34979
7.2 - High
- September 06, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2790 build 20240605 and later QuTS hero h4.5.4.2790 build 20240606 and later
Shell injection
An improper authentication vulnerability has been reported to affect Music Station
CVE-2023-45038
8.8 - High
- September 06, 2024
An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later
authentification
An OS command injection vulnerability has been reported to affect Video Station
CVE-2023-47563
8.8 - High
- September 06, 2024
An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later
Shell injection
A SQL injection vulnerability has been reported to affect Video Station
CVE-2023-50360
8.8 - High
- September 06, 2024
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.1 ( 2024/02/26 ) and later
SQL Injection
An unquoted search path or element vulnerability has been reported to affect QVR Smart Client
CVE-2022-27592
6.7 - Medium
- September 06, 2024
An unquoted search path or element vulnerability has been reported to affect QVR Smart Client. If exploited, the vulnerability could allow local authenticated administrators to execute unauthorized code or commands via unspecified vectors. We have already fixed the vulnerability in the following version: Windows 10 SP1, Windows 11, Mac OS, and Mac M1: QVR Smart Client 2.4.0.0570 and later
Unquoted Search Path or Element
An OS command injection vulnerability has been reported to affect legacy QTS
CVE-2023-39300
7.2 - High
- September 06, 2024
An OS command injection vulnerability has been reported to affect legacy QTS. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.3.6.2805 build 20240619 and later QTS 4.3.4.2814 build 20240618 and later QTS 4.3.3.2784 build 20240619 and later QTS 4.2.6 build 20240618 and later
Shell injection
A missing authorization vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-39298
7.8 - High
- September 06, 2024
A missing authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated users to access data or perform actions that they should not be allowed to perform via unspecified vectors. QuTScloud, is not affected. We have already fixed the vulnerability in the following versions: QTS 5.2.0.2737 build 20240417 and later QuTS hero h5.2.0.2782 build 20240601 and later
AuthZ
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-21906
4.7 - Medium
- September 06, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later
Shell injection
An improper certificate validation vulnerability has been reported to affect QuMagie
CVE-2024-38642
7.8 - High
- September 06, 2024
An improper certificate validation vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow local network users to compromise the security of the system via unspecified vectors. We have already fixed the vulnerability in the following version: QuMagie 2.3.1 and later
Improper Certificate Validation
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-32763
8.8 - High
- September 06, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-27128
8.8 - High
- May 21, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later
Classic Buffer Overflow
An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-21902
8.1 - High
- May 21, 2024
An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later
Information Disclosure
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-27130
8.8 - High
- May 21, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-27129
8.8 - High
- May 21, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later
Classic Buffer Overflow
A double free vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-27127
8.8 - High
- May 21, 2024
A double free vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute arbitrary code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later
Double-free