CVE Catalog

CVE-2026-41539

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile - higher than 9% of all known CVEs

Summary

A cross-site scripting (XSS) vulnerability has been reported in several QNAP operating system versions. Remote attackers can exploit this flaw to bypass security mechanisms or read application data.

Risk Assessment

The risk involves potential theft of sensitive data or session hijacking, which could compromise data confidentiality and integrity within the organization.

Recommendation

Immediately update QTS to version 5.2.9.3492 or later, and QuTS hero to version h5.2.9.3499, h5.3.4.3500, or h6.0.0.3500 (depending on the version).

Original NVD description (English source)

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

Vulnerability data from NVD (NIST) · CISA KEV · EPSS