11
CVEs
0
Critical
3
High
0
KEV
0
PoC
0
Unpatched C/H
90.9%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
3
MEDIUM
6
LOW
2
Monthly CVE Trend
Affected Products (30)
Qts
189
Quts Hero
161
Qutscloud
18
Photo Station
9
Q Center
7
Qvr
7
File Station
6
Video Station
4
Qes
4
Music Station
3
Multimedia Console
3
Helpdesk
3
Signage Station
3
Viostor Network Video Recorder
3
Hybrid Backup Sync
2
Surveillance Station Pro
2
Qsync Central
2
Qss
2
Nas
2
Media Streaming Add On
2
Iartist Lite
2
Surveillance Station
2
Ej1600 Firmware
1
Tl R400S Firmware
1
Qvp 63B Firmware
1
Qusbcam2
1
Ts 469U Firmware
1
Tr 004 Firmware
1
Ts Ec1679U Rp Firmware
1
Qvp 85B Firmware
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-66273 | Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained administrator credentials to execute arbitrary OS commands on the appliance. Reported by QNAP itself and tracked as EUVD-2025-210099, the issue affects multiple branches across QTS 5.2.x and QuTS hero 5.2.x, 5.3.x, and 6.0.x and is fixed in builds dated 2026-02-06 through 2026-05-20. No public exploit identified at time of analysis and the issue is not listed in CISA KEV. | HIGH | 8.6 | 0.5% | 44 |
|
| CVE-2025-66279 | Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to execute arbitrary OS commands on the NAS appliance. The CVSS 4.0 base score of 8.6 reflects high impact across confidentiality, integrity, and availability, though exploitation requires high privileges (PR:H). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; QNAP has released fixed builds across affected QTS and QuTS hero branches. | HIGH | 8.6 | 0.5% | 44 |
|
| CVE-2026-22893 | Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator credentials to execute arbitrary OS commands on the appliance. The flaw spans multiple QTS and QuTS hero release trains (5.2.x, 5.3.x, and 6.0.x) and has been patched by QNAP across all affected branches. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but the post-authentication code execution primitive is highly valuable for attackers who have already harvested admin credentials. | HIGH | 8.6 | 0.5% | 44 |
|
| CVE-2025-66281 | NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems allows remote unauthenticated attackers to crash a network-facing service and cause a denial-of-service condition without any authentication or user interaction. Multiple active OS branches are affected - QTS 5.2.x and QuTS hero h5.2.x through h6.0.x - across a device population that is historically internet-exposed and frequently targeted. No public exploit has been identified and this vulnerability is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface makes DoS attempts trivially repeatable against unpatched devices. | MEDIUM | 6.9 | 0.2% | 35 |
|
| CVE-2026-41539 | Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms and read application data when an authenticated user interacts with attacker-supplied content. The flaw carries a CVSS 4.0 score of 8.7 driven by network reachability, low attack complexity, no required privileges, and high impact across confidentiality, integrity, and availability of the NAS management surface. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. | MEDIUM | 6.3 | 0.1% | 32 |
|
| CVE-2026-24719 | Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an administrator account to execute arbitrary OS commands on the appliance. The flaw carries a CVSS 4.0 score of 8.6, but the PR:H requirement substantially narrows the attacker population; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. QNAP has shipped fixed builds (QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514). | MEDIUM | 6.1 | 0.5% | 31 |
|
| CVE-2025-62850 | NULL pointer dereference in QNAP QuTS hero NAS operating system allows a remote attacker who has already obtained or possesses an administrator account to trigger a denial-of-service condition, crashing affected services. Affected branches span QuTS hero h5.2.x, h5.3.x, and h6.0.x series, with vendor-released patches available as of early-to-mid 2026. No public exploit code or CISA KEV listing has been identified at time of analysis, and the mandatory prerequisite of high-privilege authentication substantially constrains real-world impact. | MEDIUM | 5.1 | 0.1% | 26 |
No patch
|
| CVE-2025-66280 | Integer overflow (CWE-190) in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained an administrator account to further compromise system integrity and availability. Affected versions span QTS 5.2.x and QuTS hero h5.2.x through h6.0.x; QNAP released patched builds in February and May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory prerequisite of administrator-level access materially constrains real-world exploitability. | MEDIUM | 5.1 | 0.1% | 26 |
|
| CVE-2025-62858 | Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to corrupt stack memory or crash processes via a network-accessible attack path. Affected versions span QTS 5.2.x and multiple QuTS hero release trains (h5.2.x, h5.3.x, h6.0.x), with vendor-released patches dated February-May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory high-privilege prerequisite substantially limits realistic attack surface. | MEDIUM | 5.1 | 0.1% | 26 |
|
| CVE-2026-24717 | Path traversal in QNAP QTS and QuTS hero NAS operating systems exposes arbitrary file contents to attackers who have already obtained administrator-level access. The root cause (CWE-22) indicates insufficient sanitization of file path inputs, allowing directory escape to reach files outside intended scope. No public exploit code has been identified at time of analysis, and CISA KEV lists no active exploitation - making this a targeted post-compromise risk rather than an opportunistic mass-exploitation scenario. Vendor-released patches address all affected branches as of May 2026. | LOW | 1.2 | 0.2% | 6 |
|
| CVE-2026-24716 | NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems enables a remote, administrator-authenticated attacker to trigger a denial-of-service condition. Exploitation requires the attacker to first hold or acquire an administrator account on the target device, after which a crafted request can crash system services. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis. | LOW | 1.2 | 0.1% | 6 |
|