83
CVEs
2
Critical
20
High
0
KEV
0
PoC
22
Unpatched C/H
0.0%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
2
HIGH
20
MEDIUM
60
LOW
1
Monthly CVE Trend
Affected Products (10)
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-66277 | Symlink following vulnerability in multiple QNAP NAS operating system versions allows remote attackers to exploit link resolution for unauthorized access. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-22898 | QVR Pro contains a missing authentication vulnerability (CWE-306) that allows remote attackers to access critical functions without proper credential validation, potentially gaining unauthorized system access. All versions prior to QVR Pro 2.7.4.14 are affected. This authentication bypass vulnerability enables unauthenticated remote exploitation of a surveillance management platform, representing a direct threat to organizations relying on QVR Pro for video recording and system administration. | CRITICAL | 9.3 | 0.4% | 47 |
No patch
|
| CVE-2025-22481 | Command injection vulnerability affecting QNAP NAS operating systems (QTS and QuTS hero) that allows authenticated remote attackers to execute arbitrary commands with high severity (CVSS 8.8). The vulnerability requires valid user credentials but no user interaction, making it exploitable by compromised accounts or insider threats. QNAP has released patches as of March 21, 2025, and exploitation details are limited in public disclosures at this time. | HIGH | 8.8 | 0.2% | 44 |
No patch
|
| CVE-2025-29883 | CVE-2025-29883 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authenticated remote attackers to compromise system security through man-in-the-middle attacks or credential harvesting. The vulnerability requires valid user credentials (PR:L) but can result in complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 8.8). Patched versions are available for File Station 5 5.5.6.4791 and later. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2025-30279 | CVE-2025-30279 is an improper certificate validation vulnerability in QNAP File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. Affected versions are below 5.5.6.4847; the vulnerability requires valid user credentials but no user interaction, making it a significant post-authentication attack vector with a CVSS score of 8.8 indicating high severity. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2025-29892 | SQL injection vulnerability in Qsync Central that allows authenticated remote attackers to execute arbitrary code or commands with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released 2025/03/20), and while no active KEV or public PoC is explicitly referenced in the provided data, the high CVSS score of 8.8 combined with low attack complexity and low privilege requirements indicates this is a serious, readily exploitable vulnerability that should be prioritized for patching. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2025-52863 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-52864 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-52872 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-48725 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-22482 | Format string vulnerability in QNAP Qsync Central that allows authenticated remote attackers to read sensitive data or modify memory without user interaction. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released March 20, 2025), with a CVSS score of 8.1 indicating high severity. While no public exploit or KEV status is currently documented, the low attack complexity and requirement for only low-privilege user access make this a significant risk for organizations running vulnerable versions. | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2024-14026 | A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. [CVSS 7.8 HIGH] | HIGH | 7.8 | 0.2% | 39 |
No patch
|
| CVE-2025-22490 | NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and while it requires valid user credentials (PR:N indicates no privileges required once authenticated), it has a CVSS score of 7.5 reflecting high availability impact. No indication of active exploitation in the wild or public POC is evident from the provided data. | HIGH | 7.5 | 0.1% | 38 |
No patch
|
| CVE-2025-29873 | NULL pointer dereference vulnerability affecting QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and high availability impact, though it requires valid user credentials to exploit. QNAP has released patched versions (5.5.6.4847 and later) to remediate this issue. | HIGH | 7.5 | 0.1% | 38 |
No patch
|
| CVE-2025-29876 | NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. While the CVSS score of 7.5 is elevated, the requirement for a valid user account (PR:N is misleading in vector; effective privilege requirement exists) and lack of data confidentiality/integrity impact limit real-world severity. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and the vendor has released patched versions. | HIGH | 7.5 | 0.1% | 38 |
No patch
|