By vendor
Qnap vulnerabilities
Known CVEs affecting Qnap products, prioritized by severity, with SEC.co remediation and detection guidance.
3 published vulnerabilities
- CVE-2026-26236HIGH 7.5
A missing authorization vulnerability in QuMagie allows remote attackers to access data or perform actions they should not be permitted to do. The flaw does not require authentication, meaning an unauthenticated attacker on the network can exploit it directly. The vulnerability affects confidentiality but not integrity or availability. QNAP has patched the issue in QuMagie version 2.9.0 and later.
- CVE-2025-62858MEDIUM 6.5
A buffer overflow flaw exists in QNAP's QTS and QuTS hero operating systems that allows a high-privileged attacker to corrupt memory or crash running processes. Because the vulnerability requires prior administrative access, the risk is contained to scenarios where an admin account has been compromised or a trusted insider acts maliciously. QNAP has released patched versions across all affected product lines.
- CVE-2026-41539MEDIUM 6.1
QNAP has patched a cross-site scripting (XSS) vulnerability affecting multiple versions of QTS and QuTS hero operating systems. The flaw allows remote attackers to inject malicious scripts that execute in users' browsers, potentially bypassing security controls or stealing sensitive application data. No authentication is required to attempt exploitation, but a user must be tricked into clicking a malicious link or visiting a compromised page. QNAP has released security updates addressing the issue across affected product lines.