EUVD-2026-35974
GHSA-mmg8-4hr2-cpxw
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (qnap) · only source for this CVE.
CVSS VectorVendor: qnap
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.
We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later
AnalysisAI
Resource exhaustion in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5242) allows a remote attacker holding a low-privilege user account to exhaust shared resources, denying availability to other users, processes, or applications on the same system. The vulnerability is classified as a Denial-of-Service risk with no impact on confidentiality or data integrity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid, authenticated user account on the QNAP NAS with access to File Station 5 (CVSS PR:L confirms low-privilege authentication is required). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) is well-calibrated to the actual risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or has obtained a low-privilege QNAP NAS user account authenticates to File Station 5 over the network and submits a high volume of resource-intensive requests - such as repeated large directory listings, uploads, or other operations - without any imposed throttling limit. The cumulative resource consumption degrades or denies availability of File Station (or shared system resources) for other legitimate users and processes on the NAS. … |
| Remediation | The primary fix is to upgrade QNAP File Station 5 to version 5.5.6.5243 or later, as confirmed by QNAP's security advisory QSA-26-26 (https://www.qnap.com/en/security-advisory/qsa-26-26). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stack-based buffer overflow in QNAP File Station 5 versions 5.5.0 through 5.5.6.5208 allows authenticated remote attacke
Authorization bypass in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5243) allows a remote attacker with a valid lo
NULL pointer dereference in QNAP File Station 5 enables authenticated remote attackers to crash the service and cause a
Share
External POC / Exploit Code
Leaving vuln.today