Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionNVD
A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities.
We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291 and later
AnalysisAI
Cross-site request forgery in QNAP Notification Center allows remote unauthenticated attackers to forge state-changing requests on behalf of authenticated NAS users, potentially resulting in privilege escalation or session hijacking within the Notification Center context. Affected versions are all Notification Center 1.10.0 builds prior to 1.10.0.3291, confirmed by QNAP advisory QSA-26-13 and EUVD-2025-210096. Exploitation requires active victim interaction (CVSS 4.0 UI:A), integrity impact is rated low (VI:L), and no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
CSRF (CWE-352) arises when a web application fails to verify that state-changing HTTP requests originate from the application's own interface rather than a third-party site. QNAP's Notification Center - a NAS-resident component managing alerts and system notifications - does not adequately validate request origin, allowing a malicious page to silently submit forged requests using an authenticated user's browser session and cookies. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms the attack surface is network-accessible, requires no special attack prerequisites or attacker privileges, but mandates active interaction from the victim. Affected product is identified by CPE cpe:2.3:a:qnap_systems_inc.:notification_center:*:*:*:*:*:*:*:*, scoped to the 1.10.0 branch below build 3291.
RemediationAI
Upgrade QNAP Notification Center to version 1.10.0.3291 or later, as released and confirmed by QNAP via advisory QSA-26-13 at https://www.qnap.com/en/security-advisory/qsa-26-13. Updates can be applied through the QNAP App Center on the NAS management interface. Until patching is complete, restrict access to the NAS management interface to trusted internal networks or VPN only - blocking external access to the management ports eliminates the network delivery path for the forged request. Additionally, administrators should avoid clicking unsolicited links or browsing untrusted sites while authenticated to the QNAP interface, as this removes the active user interaction prerequisite (UI:A). Note that restricting management port access may affect remote administration workflows.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210096
GHSA-g758-jg83-j6jj