Skip to main content

QNAP QTS CVE-2026-41539

| EUVD-2026-35350 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 security@qnapsecurity.com.tw GHSA-hc5c-8r54-29r3
XSS Qnap Qts Quts Hero
8.7
CVSS 4.0 · Vendor: qnapsecurity
Share

Severity by source

Vendor (qnapsecurity) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (qnapsecurity) · only source for this CVE.

CVSS VectorVendor: qnapsecurity

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 08:01 EUVD
Analysis Generated
Jun 09, 2026 - 06:30 vuln.today

DescriptionCVE.org

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

AnalysisAI

Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms and read application data when an authenticated user interacts with attacker-supplied content. The flaw carries a CVSS 4.0 score of 8.7 driven by network reachability, low attack complexity, no required privileges, and high impact across confidentiality, integrity, and availability of the NAS management surface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable QTS/QuTS hero instance
Delivery
Plant XSS payload in attacker-controllable field or link
Exploit
Logged-in admin renders payload in NAS UI
Execution
Script executes in admin browser context
Persist
Steal session or invoke authenticated APIs
Impact
Bypass security controls and exfiltrate application data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim with an active QTS or QuTS hero web session view or interact with attacker-controlled content rendered by the vulnerable web UI (UI:P in the CVSS 4.0 vector) - typically an admin or operator logged into the NAS management interface on a vulnerable build. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-high but bounded by the UI:P (passive user interaction) requirement in the CVSS 4.0 vector - exploitation needs a logged-in QNAP user to view attacker-supplied content (e.g., a crafted link, share name, log entry, or comment field), not a fully unauthenticated drive-by against the appliance itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious payload (for example a poisoned filename, share comment, log field, or external link) and lures or waits for a logged-in QNAP administrator to render it in the QTS/QuTS hero web UI; the injected script then executes in the admin's browser against the NAS origin. The script can exfiltrate session tokens or application data, issue authenticated API calls to create a backdoor admin, enable SSH, or stage a payload onto a share. …
Remediation Apply the vendor-released patches per QNAP advisory QSA-26-31 (https://www.qnap.com/en/security-advisory/qsa-26-31): upgrade to QTS 5.2.9.3492 build 20260507 or later, QuTS hero h5.2.9.3499 build 20260514 or later, QuTS hero h5.3.4.3500 build 20260520 or later, or QuTS hero h6.0.0.3500 build 20260520 or later, using Control Panel > System > Firmware Update or the QNAP download center. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and document all QNAP QTS and QuTS hero systems in production, including current firmware versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2025-66276 CRITICAL
9.2 Jun 10

High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250
CVE-2026-24717 MEDIUM
5.1 Jun 10

Path traversal in QNAP QTS and QuTS hero NAS operating systems exposes arbitrary file contents to attackers who have alr
CVE-2025-62858 MEDIUM
5.1 Jun 09

Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to co
CVE-2025-59382 LOW
1.2 Jun 10

External control of assumed-immutable web parameters in QNAP NAS software enables remote unauthenticated attackers to ac

Share

CVE-2026-41539 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy