Is there a patch available for EUVD-2026-35976?

Yes, a patch is available for EUVD-2026-35976. Update the affected software to the latest version immediately.

QNAP QTS EUVD-2026-35976

Q: What is the CVSS score of EUVD-2026-35976?

EUVD-2026-35976 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

| CVE-2026-24717 MEDIUM

Path Traversal (CWE-22)

2026-06-10 qnap

GHSA-jhw8-2xh3-xhmf

Path Traversal Qnap Qts Quts Hero

5.1

CVSS 4.0 · Vendor: qnap

Severity by source

Vendor (qnap) PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (qnap) · only source for this CVE.

CVSS VectorVendor: qnap

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 10, 2026 - 06:24 vuln.today

Patch available

Jun 10, 2026 - 05:01 EUVD

CVSS changed

Jun 10, 2026 - 04:22 NVD

5.1 (MEDIUM)

CVE Published

Jun 10, 2026 - 03:14 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

AnalysisAI

Path traversal in QNAP QTS and QuTS hero NAS operating systems exposes arbitrary file contents to attackers who have already obtained administrator-level access. The root cause (CWE-22) indicates insufficient sanitization of file path inputs, allowing directory escape to reach files outside intended scope. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain QNAP admin credentials via phishing or credential stuffing

Delivery

Authenticate to NAS management interface over network

Exploit

Craft HTTP request with path traversal sequences

Execution

Bypass path validation in file-read handler

Impact

Retrieve contents of arbitrary files outside web root

Access

Obtain QNAP admin credentials via phishing or credential stuffing

Delivery

Authenticate to NAS management interface over network

Exploit

Craft HTTP request with path traversal sequences

Execution

Bypass path validation in file-read handler

Impact

Retrieve contents of arbitrary files outside web root

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the attacker first obtain a valid administrator-level account on the target QNAP device - this is explicitly stated in the description and confirmed by the CVSS 4.0 PR:H (High Privileges Required) rating. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 base score of 5.1 (Medium) reflects a meaningful but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained QNAP administrator credentials - through credential stuffing against an internet-exposed management interface, phishing, or reuse of a compromised password - authenticates to the NAS web interface and issues a crafted request containing path traversal sequences (e.g., '../../') targeting a file-reading endpoint. The unpatched system fails to sanitize the path, returning the contents of an arbitrary file such as /etc/shadow, a configuration file containing API keys, or other sensitive system data outside the web root. …
Remediation	Upgrade to a vendor-patched build immediately: for QTS, apply version 5.2.9.3492 build 20260507 or later; for QuTS hero, apply h5.2.9.3499 build 20260514, h5.3.4.3500 build 20260520, or h6.0.0.3459 build 20260409 depending on the installed branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2025-66276 CRITICAL Act Now

9.2 Jun 10

High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250

CVE-2026-41539 HIGH This Week

8.7 Jun 09

Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a

CVE-2025-62858 MEDIUM This Month

5.1 Jun 09

Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to co

CVE-2025-59382 LOW Monitor

1.2 Jun 10

External control of assumed-immutable web parameters in QNAP NAS software enables remote unauthenticated attackers to ac

EUVD-2026-35976 vulnerability details – vuln.today

Back