Quts Hero QNAP Quts Hero

  1. Vendors
  2. QNAP
  3. Quts Hero

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in QNAP Quts Hero.

By the Year

In 2026 there have been 20 vulnerabilities in QNAP Quts Hero. Last year, in 2025 Quts Hero had 24 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Quts Hero in 2026 could surpass last years number.




Year Vulnerabilities Average Score
2026 20 0.00
2025 24 0.00
2024 60 7.25
2023 20 6.71
2022 6 6.75
2021 10 7.66
2020 5 6.84

It may take a day or so for new Quts Hero vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent QNAP Quts Hero Security Vulnerabilities

Cmd Injection in QTS 5.2.9 (pre-20260507) & QuTS hero (pre-20260514)
CVE-2026-24719 - June 10, 2026

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later

Shell injection

QNAP QTS/QuTS Hero path traversal CVE-2026-24717 before 5.2.9.3492
CVE-2026-24717 - June 10, 2026

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

Directory traversal

QNAP QTS DoS via NULL ptr in 5.2.9.3492+
CVE-2026-24716 - June 10, 2026

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

NULL Pointer Dereference

CmdInject in QNAP QTS/QuTS before 5.2.9.3410
CVE-2026-22893 - June 10, 2026

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

Shell injection

QNAP QTS Null Ptr Deref DoS (pre 5.2.9.3410, fixed in 5.2.9.3410)
CVE-2025-66281 - June 10, 2026

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

NULL Pointer Dereference

QNAP QTS/QuTS Integer Overflow (Admin) CVE-2025-66280 Fixed v5.2.9.3410+
CVE-2025-66280 - June 10, 2026

An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Integer Overflow or Wraparound

Command Injection in QNAP QTS/QuTS Hero (5.2.9.3410, 5.3.4.3500)
CVE-2025-66279 - June 10, 2026

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Shell injection

QTS/QuTS Hero cmd injection CVE202566273 before 5.2.9.3410
CVE-2025-66273 - June 10, 2026

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Shell injection

QNAP QuTS hero NULL ptr DoS (pre 5.3.4/6.0)
CVE-2025-62850 - June 10, 2026

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

NULL Pointer Dereference

QNAP CVE-2025-59382 Fix Implemented
CVE-2025-59382 - June 10, 2026

QTS, QuTS hero, QuTScloud are not affected. We have already fixed the vulnerability in the following version:

Assumed-Immutable Parameter Tampering

Buffer Overflow in QNAP OS (pre-5.2.9.3410, pre-5.3.4.3500, pre-6.0.0.3397)
CVE-2025-62858 - June 09, 2026

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Stack Overflow

XSS in QNAP QTS/QuTS hero before 5.2.9.3492
CVE-2026-41539 - June 09, 2026

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

XSS

Command Injection in QTS / QuTS OS before 5.1.9.2954 (fixed in 5.2.3.3006)
CVE-2024-14026 - March 11, 2026

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later

Shell injection

QNAP QTS <=5.2.8.3332 NULL PTR DoS Vulnerability
CVE-2025-47205 - February 11, 2026

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later

NULL Pointer Dereference

QNAP OS pre-5.3.2.3354 buffer overflow remote AS user
CVE-2025-48725 - February 11, 2026

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QuTS hero h5.3.2.3354 build 20251225 and later

Classic Buffer Overflow

QTS 5.2.8.3332 Build DoS via Uninitialized Variable
CVE-2025-58466 - February 11, 2026

A use of uninitialized variable vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to denial of service conditions, or modify control flow in unexpected ways. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later

Use of Uninitialized Variable

QNAP OS NULL Pointer Deref DoS via Admin Remote (pre-5.3.2.3354)
CVE-2025-59386 - February 11, 2026

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: QuTS hero h5.3.2.3354 build 20251225 and later

NULL Pointer Dereference

QNAP QuTS hero OS <=5.3.2.3354 NULL Pointer DoS
CVE-2025-66274 - February 11, 2026

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.2.3354 build 20251225 and later QuTS hero h6.0.0.3397 build 20260206 and later

NULL Pointer Dereference

QNAP QTS/QuTS Hero: Link Following Path Traversal (pre-5.2.8/5.3.2)
CVE-2025-66277 - February 11, 2026

A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3350 build 20251216 and later QuTS hero h5.3.2.3354 build 20251225 and later QuTS hero h5.2.8.3350 build 20251216 and later

insecure temporary file

QNAP QTS 5.2.8.3332 Path Traversal Allowing Admin File Read
CVE-2025-59381 - January 02, 2026

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.2.3354 build 20251225 and later

Directory traversal

QNAP QTS Format String Vulnerability v5.2.6.3195 Remote Exploit
CVE-2025-53407 - October 03, 2025

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Use of Externally-Controlled Format String

Format String in QTS/QuTS hero 5.2.6.3195 Allows Remote Data Leak
CVE-2025-53406 - October 03, 2025

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Use of Externally-Controlled Format String

QNAP QTS/QuTS hero 5.2.6.3195 NPD Remote Admin DoS
CVE-2025-52866 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP QTS/QuTS hero NULL ptr DoS before 5.2.6.3195
CVE-2025-52862 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP QTS/QuTS hero NULL Ptr Deref DoS before 5.2.6.3195
CVE-2025-52860 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP QTS 5.2.6.3195: NULL ptr DoS Remote Attacker
CVE-2025-52859 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

NULL Pointer Deref in QNAP QTS & QuTS hero 5.2.6.3195 Before build 20250715 DoS
CVE-2025-52858 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP QTS/QuTS hero NULL ptr deref DoS pre 5.2.6.3195
CVE-2025-52857 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP QTS/QuTS Hero Remote Admin Null Ptr Deref DoS - fixed 5.2.6.3195
CVE-2025-52855 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QTS QNAP OS NPE DoS (5.2.6.3195) Remote Admin
CVE-2025-52854 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP OS QTS/QuTS hero DoS via NULL ptr in pre-5.2.6.3195
CVE-2025-52853 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

NULL PTR DoS in QNAP QTS 5.2.6.3195 & QuTS Hero 5.2.6.3195
CVE-2025-52433 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

CVE-2025-52432: Null Pointer Deref in QNAP QTS/QuTS hero OS DoS (fixed 5.2.6.3195+/5.3.0.3192+)
CVE-2025-52432 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later and later QuTS hero h5.2.6.3195 build 20250715 and later QuTS hero h5.3.0.3192 build 20250716 and later

NULL Pointer Dereference

Format String Vulnerability in QTS 5.2.6.3195+ (CVE202552429)
CVE-2025-52429 - October 03, 2025

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Use of Externally-Controlled Format String

QNAP QTS/QuTS hero 5.2.x NULL Pointer DoS Vulnerability
CVE-2025-52427 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QTS 5.2.6.3195 NULL ptr DoS after admin takeover
CVE-2025-52424 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

External Format String issue in QNAP QTS/QuTS <5.2.6.3195 (pre-5.2.6.3195)
CVE-2025-48730 - October 03, 2025

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Use of Externally-Controlled Format String

QNAP QTS/QuTS hero NULL PTR DoS prior 5.2.6.3195
CVE-2025-48729 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP QTS Null Ptr DoS before 5.2.6.3195
CVE-2025-48728 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP OS NULL Pointer DoS (QTS 5.2.6.3195+, QuTS hero h5.2.6.3195+)
CVE-2025-48727 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QTS <5.2.6.3195: NULL ptr deref DoS via admin
CVE-2025-48726 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

QNAP QTS/QuTS NULL Pointer DoS (remote admin) before 5.2.6.3195
CVE-2025-47213 - October 03, 2025

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

NULL Pointer Dereference

Command Injection Remote Exec in QNAP QTS/QuTS hero <5.2.6.3195
CVE-2025-47212 - October 03, 2025

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Shell injection

Path Traversal in QTS 5.2.6.3195 (QNAP) admin reads arbitrary files
CVE-2025-47211 - October 03, 2025

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Directory traversal

QNAP QTS & QuTS hero Path Traversal (CVE202421904) v<5.1.7.2770 Vulnerable
CVE-2024-21904 6.5 - Medium - September 06, 2024

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Directory traversal

OS Command Injection in QNAP QTS/QuTS hero (auth admin) <5.1.6.2722
CVE-2024-21903 4.7 - Medium - September 06, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Shell injection

QNAP QTS/QuTS Hero OS Command Injection Before 5.1.6.2722
CVE-2024-21898 8.8 - High - September 06, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Shell injection

QNAP QTS/QuTS hero XSS via network, fixed QTS 5.1.6.2722+, QuTS hero h5.1.6.2734+
CVE-2024-21897 5.4 - Medium - September 06, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

XSS

QNAP QTS/QuTS hero RCE via unchecked buffer copy before 5.1.6.2722
CVE-2023-51367 8.8 - High - September 06, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Classic Buffer Overflow

QNAP QTS/QuTS hero DoS via NULL ptr in OS before 5.1.6.2722
CVE-2023-51368 6.5 - Medium - September 06, 2024

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to launch a denial-of-service (DoS) attack via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

NULL Pointer Dereference

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for QNAP Quts Hero or by QNAP? Click the Watch button to subscribe.

QNAP
Vendor

QNAP Quts Hero
Product

subscribe