Skip to main content

Quftp Service CVE-2026-22895

| EUVDEUVD-2026-13714 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 qnap
6.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
Jun 09, 2026 - 05:22 NVD
LOW MEDIUM
CVSS changed
Jun 09, 2026 - 05:22 NVD
2.2 (LOW) 6.2 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
1.5.2,1.4.3,1.6.2
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2026-13714
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
LOW 2.2

DescriptionCVE.org

A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later

AnalysisAI

A cross-site scripting (XSS) vulnerability exists in QuFTP Service that allows authenticated remote attackers with administrator credentials to bypass security mechanisms and read application data. The vulnerability affects multiple versions of QuFTP Service across different release branches (1.4.x, 1.5.x, and 1.6.x prior to specified patch versions). While no CVSS score, EPSS probability, or KEV status is currently available, the requirement for administrator-level access significantly constrains real-world exploitation risk.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a classic cross-site scripting flaw in web applications. QuFTP Service, identified via CPE (cpe:2.3:a:qnap_systems_inc.:quftp_service:*:*:*:*:*:*:*:*), is a file transfer protocol service developed by QNAP Systems Inc. The XSS flaw exists within the web-based administrative interface of QuFTP Service, where user-supplied input is rendered in HTML responses without proper sanitization or output encoding. This allows an attacker who has obtained administrator credentials to inject malicious JavaScript that executes in the context of administrator sessions, potentially leading to session hijacking, credential theft, or unauthorized data access.

RemediationAI

Organizations must upgrade QuFTP Service immediately to version 1.4.3 or later (for the 1.4.x branch), version 1.5.2 or later (for the 1.5.x branch), or version 1.6.2 or later (for the 1.6.x branch) as specified in the official QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-26-15. For environments where immediate patching is not feasible, implement network segmentation to restrict access to the QuFTP Service administrative interface to a whitelist of trusted administrator IP addresses, enforce strong password policies and multi-factor authentication for administrator accounts, and monitor administrator activity logs for suspicious behavior. Additionally, consider deploying a Web Application Firewall (WAF) configured to detect and block common XSS payloads in HTTP requests to the administrative interface.

Share

CVE-2026-22895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy