Cmd Injection in QuNetSwitch 2.0.5.0906+ (fixed)
CVE-2026-22901 Published on March 20, 2026
QuNetSwitch
A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands.
We have already fixed the vulnerability in the following version:
QuNetSwitch 2.0.5.0906 and later
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-22901 has been classified to as a Shell injection vulnerability or weakness.
Affected Versions
QNAP Systems Inc. QuNetSwitch:- Version 2.0.x and below 2.0.5.0906 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.