CVE-2026-41539

HIGH EPSS 9.1%
Published Jun 9, 20263w ago · Modified Jun 17, 20262w ago
8.7 CVSS 4.0
High
Find Similar
Published Jun 9, 2026 3w ago
Last Modified Jun 17, 2026 2w ago

Description

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
9.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 56

VendorProductVersionRange
qnapqts5.2.0.2737any
qnapqts5.2.0.2744any
qnapqts5.2.0.2782any
qnapqts5.2.0.2802any
qnapqts5.2.0.2823any
qnapqts5.2.0.2851any
qnapqts5.2.0.2860any
qnapqts5.2.1.2930any
qnapqts5.2.2.2950any
qnapqts5.2.3.3006any
qnapqts5.2.4.3070any
qnapqts5.2.4.3079any
qnapqts5.2.4.3092any
qnapqts5.2.5.3145any
qnapqts5.2.6.3195any
qnapqts5.2.6.3229any
qnapqts5.2.7.3256any
qnapqts5.2.7.3297any
qnapqts5.2.8.3332any
qnapqts5.2.8.3350any
qnapqts5.2.8.3359any
qnapqts5.2.9.3410any
qnapqts5.2.9.3451any
qnapquts_heroh5.2.0.2737any
qnapquts_heroh5.2.0.2782any
qnapquts_heroh5.2.0.2789any
qnapquts_heroh5.2.0.2802any
qnapquts_heroh5.2.0.2823any
qnapquts_heroh5.2.0.2851any
qnapquts_heroh5.2.0.2860any
qnapquts_heroh5.2.1.2929any
qnapquts_heroh5.2.1.2940any
qnapquts_heroh5.2.2.2952any
qnapquts_heroh5.2.3.3006any
qnapquts_heroh5.2.4.3070any
qnapquts_heroh5.2.4.3079any
qnapquts_heroh5.2.5.3138any
qnapquts_heroh5.2.6.3195any
qnapquts_heroh5.2.7.3256any
qnapquts_heroh5.2.7.3297any
qnapquts_heroh5.2.8.3321any
qnapquts_heroh5.2.8.3350any
qnapquts_heroh5.2.8.3359any
qnapquts_heroh5.2.9.3410any
qnapquts_heroh5.2.9.3492any
qnapquts_heroh5.3.0.3115any
qnapquts_heroh5.3.0.3145any
qnapquts_heroh5.3.0.3192any
qnapquts_heroh5.3.1.3250any
qnapquts_heroh5.3.1.3292any
qnapquts_heroh5.3.2.3354any
qnapquts_heroh5.3.3.3424any
qnapquts_heroh6.0.0.3324any
qnapquts_heroh6.0.0.3382any
qnapquts_heroh6.0.0.3397any
qnapquts_heroh6.0.0.3459any

References 1

  • qnap.com https://www.qnap.com/en/security-advisory/qsa-26-31
    Broken Link

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.