CVE-2026-41539
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
A cross-site scripting (XSS) vulnerability has been reported in several QNAP operating system versions. Remote attackers can exploit this flaw to bypass security mechanisms or read application data.
Risk Assessment
The risk involves potential theft of sensitive data or session hijacking, which could compromise data confidentiality and integrity within the organization.
Recommendation
Immediately update QTS to version 5.2.9.3492 or later, and QuTS hero to version h5.2.9.3499, h5.3.4.3500, or h6.0.0.3500 (depending on the version).
Original NVD description (English source)
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

