CVE-2024-14026 QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in th...

Qnap QTS and QuTS Use of Uninitialized Variable (CVE-2025-58466)

A use of uninitialized variable vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to denial of service conditions, or modify control flow in unexpected ways. We have alread...

Qnap QTS and QuTS Improper Link Resolution Before File Access (CVE-2025-66277)

A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3350 build...

Qnap QTS and QuTS NULL Pointer Dereference (CVE-2025-47205)

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

ALPINE-CVE-2026-21863

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processin...

CVE-2025-66277

CVE-2025-66277 is a high-severity, network-exploitable vulnerability in several QNAP OS platforms where a crafted link can enable filesystem traversal to unintended locations. The CVE lists a root cause related to path traversal within a link-following component and indicates a modified impact on...

Qnap QTS and QuTS hero Buffer Copy without Checking Size of Input (CVE-2025-52863)

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS...

Qnap QTS and QuTS hero Buffer Copy without Checking Size of Input (CVE-2025-52872)

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS...

Qnap QTS and QuTS hero Use of Externally-Controlled Format String (CVE-2025-53591)

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerabili...

CVE-2025-52864

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS...

CVE-2025-59380

CVE-2025-59380 describes a path traversal vulnerability in QNAP QTS and QuTS hero. A remote attacker with administrator privileges could read unexpected files or system data. Concrete details from connected sources: affected products are QTS 5.2.8.3332 build 20251128 and later, and QuTS hero h5.2...

CVE-2025-53591

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerabili...

CVE-2025-54164

This CVE-2025-54164 describes an out-of-bounds read affecting QNAP QTS and QuTS hero OS versions. The vulnerability requires an attacker with an administrator account to exploit remotely to access secret data. Affected prior releases include QTS before 5.2.7.3256 (build 20250913) and QuTS hero be...

CVE-2025-53592 QTS, QuTS hero

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the following...

CVE-2025-52864

CVE-2025-52864 describes a buffer overflow in QNAP OS families (QTS and QuTS hero) due to a buffer copy without checking size. The flaw allows a remote attacker who has a user account to modify memory or crash affected processes, potentially impacting system stability and availability. Affected v...

PT-2026-1084

Name of the Vulnerable Software and Affected Versions QNAP versions prior to QTS 5.2.7.3256 build 20250913 QNAP versions prior to QuTS hero h5.2.7.3256 build 20250913 QNAP versions prior to QuTS hero h5.3.1.3250 build 20250912 Description A buffer overflow condition exists in QNAP operating...

CVE-2025-62848

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build...

CVE-2025-62848

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build...

CVE-2025-59385 QTS, QuTS hero

An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication. We have already fixed the...

CVE-2025-62847

CVE-2025-62847 is an actual, documented vulnerability affecting QNAP QTS and QuTS hero. It is described as an improper neutralization of argument delimiters in a command, enabling an attacker to alter execution logic on affected systems. Fixed versions are QTS 5.2.7.3297 build 20251024 and later,...