6.3

CVE-2026-41539

QTS, QuTS hero

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3492 build 20260507 and later
QuTS hero h5.2.9.3499 build 20260514 and later
QuTS hero h5.3.4.3500 build 20260520 and later
QuTS hero h6.0.0.3500 build 20260520 and later
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
QnapQts Version5.2.0.2737 Updatebuild_20240417
QnapQts Version5.2.0.2744 Updatebuild_20240424
QnapQts Version5.2.0.2782 Updatebuild_20240601
QnapQts Version5.2.0.2802 Updatebuild_20240620
QnapQts Version5.2.0.2823 Updatebuild_20240711
QnapQts Version5.2.0.2851 Updatebuild_20240808
QnapQts Version5.2.0.2860 Updatebuild_20240817
QnapQts Version5.2.1.2930 Updatebuild_20241025
QnapQts Version5.2.2.2950 Updatebuild_20241114
QnapQts Version5.2.3.3006 Updatebuild_20250108
QnapQts Version5.2.4.3070 Updatebuild_20250312
QnapQts Version5.2.4.3079 Updatebuild_20250321
QnapQts Version5.2.4.3092 Updatebuild_20250403
QnapQts Version5.2.5.3145 Updatebuild_20250526
QnapQts Version5.2.6.3195 Updatebuild_20250715
QnapQts Version5.2.6.3229 Updatebuild_20250818
QnapQts Version5.2.7.3256 Updatebuild_20250913
QnapQts Version5.2.7.3297 Updatebuild_20251024
QnapQts Version5.2.8.3332 Updatebuild_20251128
QnapQts Version5.2.8.3350 Updatebuild_20251216
QnapQts Version5.2.8.3359 Updatebuild_20251225
QnapQts Version5.2.9.3410 Updatebuild_20260214
QnapQts Version5.2.9.3451 Updatebuild_20260327
QnapQuts Hero Versionh5.2.0.2737 Updatebuild_20240417
QnapQuts Hero Versionh5.2.0.2782 Updatebuild_20240601
QnapQuts Hero Versionh5.2.0.2789 Updatebuild_20240607
QnapQuts Hero Versionh5.2.0.2802 Updatebuild_20240620
QnapQuts Hero Versionh5.2.0.2823 Updatebuild_20240711
QnapQuts Hero Versionh5.2.0.2851 Updatebuild_20240808
QnapQuts Hero Versionh5.2.0.2860 Updatebuild_20240817
QnapQuts Hero Versionh5.2.1.2929 Updatebuild_20241025
QnapQuts Hero Versionh5.2.1.2940 Updatebuild_20241105
QnapQuts Hero Versionh5.2.2.2952 Updatebuild_20241116
QnapQuts Hero Versionh5.2.3.3006 Updatebuild_20250108
QnapQuts Hero Versionh5.2.4.3070 Updatebuild_20250312
QnapQuts Hero Versionh5.2.4.3079 Updatebuild_20250321
QnapQuts Hero Versionh5.2.5.3138 Updatebuild_20250519
QnapQuts Hero Versionh5.2.6.3195 Updatebuild_20250715
QnapQuts Hero Versionh5.2.7.3256 Updatebuild_20250913
QnapQuts Hero Versionh5.2.7.3297 Updatebuild_20251024
QnapQuts Hero Versionh5.2.8.3321 Updatebuild_20251117
QnapQuts Hero Versionh5.2.8.3350 Updatebuild_20251216
QnapQuts Hero Versionh5.2.8.3359 Updatebuild_20251225
QnapQuts Hero Versionh5.2.9.3410 Updatebuild_20260214
QnapQuts Hero Versionh5.2.9.3492 Updatebuild_20260507
QnapQuts Hero Versionh5.3.0.3115 Updatebuild_20250430
QnapQuts Hero Versionh5.3.0.3145 Updatebuild_20250530
QnapQuts Hero Versionh5.3.0.3192 Updatebuild_20250716
QnapQuts Hero Versionh5.3.1.3250 Updatebuild_20250912
QnapQuts Hero Versionh5.3.1.3292 Updatebuild_20251024
QnapQuts Hero Versionh5.3.2.3354 Updatebuild_20251225
QnapQuts Hero Versionh5.3.3.3424 Updatebuild_20260305
QnapQuts Hero Versionh6.0.0.3324 Updatebuild_20251125
QnapQuts Hero Versionh6.0.0.3382 Updatebuild_20260122
QnapQuts Hero Versionh6.0.0.3397 Updatebuild_20260206
QnapQuts Hero Versionh6.0.0.3459 Updatebuild_20260409
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.19% 0.09
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security@qnapsecurity.com.tw 6.3 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.