XSS in QNAP QTS/QuTS hero before 5.2.9.3492
CVE-2026-41539 Published on June 9, 2026
QTS, QuTS hero
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3492 build 20260507 and later
QuTS hero h5.2.9.3499 build 20260514 and later
QuTS hero h5.3.4.3500 build 20260520 and later
QuTS hero h6.0.0.3500 build 20260520 and later
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-41539 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-41539
stack.watch emails you whenever new vulnerabilities are published in QNAP Qts or QNAP Quts Hero. Just hit a watch button to start following.
Affected Versions
QNAP Systems Inc. QTS:- Version 5.2.0 and below 5.2.9.3492 build 20260507 is affected.
- Version h5.2.0 and below h5.2.9.3499 build 20260514 is affected.
- Version h5.3.0 and below h5.3.4.3500 build 20260520 is affected.
- Version ? and below h6.0.0.3500 build 20260520 is affected.