Description
An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.

We have already fixed the vulnerability in the following version:
Video Station 5.8.2 and later
Published: 2026-03-11
Score: 0.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Patch
AI Analysis

Impact

An SQL injection flaw exists in QNAP Video Station that allows an attacker with local network access and an administrator account to inject arbitrary SQL statements, thereby executing unauthorized code or system commands (CWE‑89).

Affected Systems

All QNAP Video Station deployments running a version earlier than 5.8.2 are vulnerable; QNAP states the issue has been resolved in Video Station 5.8.2 and later.

Risk and Exploitability

The CVSS base score is 0.1, EPSS is below 1 %, and the vulnerability is not included in the CISA KEV catalog. Exploitation requires local network presence and administrative credentials, so the attack vector is local. While the severity rating is low, the potential for code execution makes the issue a high‑importance security concern for environments that cannot tightly control internal access.

Generated by OpenCVE AI on March 17, 2026 at 16:03 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later

OpenCVE Recommended Actions

  • Apply QNAP Video Station version 5.8.2 or later.
  • Confirm the update has been successfully installed.
  • Reboot the device to ensure all changes take effect.
  • Continuously monitor system logs for suspicious activity.

Generated by OpenCVE AI on March 17, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap video Station
CPEs cpe:2.3:a:qnap:video_station:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap video Station
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems video Station
Vendors & Products Qnap Systems
Qnap Systems video Station

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later
Title Video Station
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 0.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:U'}

Subscriptions

Qnap Video Station
Qnap Systems Video Station
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-11T13:52:24.375Z

Reserved: 2026-03-09T01:19:42.128Z

Link: CVE-2024-14025

cve-icon Vulnrichment

Updated: 2026-03-11T13:52:19.088Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T08:16:02.747

Modified: 2026-03-13T13:06:09.677

Link: CVE-2024-14025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:34Z

Weaknesses