Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later
AnalysisAI
A cross-site scripting (XSS) vulnerability exists in QuFTP Service that allows authenticated remote attackers with administrator credentials to bypass security mechanisms and read application data. The vulnerability affects multiple versions of QuFTP Service across different release branches (1.4.x, 1.5.x, and 1.6.x prior to specified patch versions). While no CVSS score, EPSS probability, or KEV status is currently available, the requirement for administrator-level access significantly constrains real-world exploitation risk.
Technical ContextAI
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a classic cross-site scripting flaw in web applications. QuFTP Service, identified via CPE (cpe:2.3:a:qnap_systems_inc.:quftp_service:*:*:*:*:*:*:*:*), is a file transfer protocol service developed by QNAP Systems Inc. The XSS flaw exists within the web-based administrative interface of QuFTP Service, where user-supplied input is rendered in HTML responses without proper sanitization or output encoding. This allows an attacker who has obtained administrator credentials to inject malicious JavaScript that executes in the context of administrator sessions, potentially leading to session hijacking, credential theft, or unauthorized data access.
RemediationAI
Organizations must upgrade QuFTP Service immediately to version 1.4.3 or later (for the 1.4.x branch), version 1.5.2 or later (for the 1.5.x branch), or version 1.6.2 or later (for the 1.6.x branch) as specified in the official QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-26-15. For environments where immediate patching is not feasible, implement network segmentation to restrict access to the QuFTP Service administrative interface to a whitelist of trusted administrator IP addresses, enforce strong password policies and multi-factor authentication for administrator accounts, and monitor administrator activity logs for suspicious behavior. Additionally, consider deploying a Web Application Firewall (WAF) configured to detect and block common XSS payloads in HTTP requests to the administrative interface.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13714