Description
A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities.

We have already fixed the vulnerability in the following version:
Notification Center 1.10.0.3291 and later
Published: 2026-06-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVE-2025-58468 is a cross‑site request forgery flaw in QNAP Systems Inc.’s Notification Center. A remote attacker can forge a request that a victim’s browser already authenticates, enabling the attacker to perform actions with the victim’s privileges or hijack the user account. The flaw is a standard CSRF weakness (CWE‑352) that can result in unauthorized access, configuration changes, or other privileged operations on the affected device.

Affected Systems

The vulnerability affects QNAP Systems Inc.’s Notification Center software prior to release 1.10.0.3291. The affected versions include all builds older than 1.10.0.3291, which are running on QNAP NAS devices that host the Notification Center service.

Risk and Exploitability

The CVSS score of 5.1 places the flaw in the medium‑severity range. EPSS is not available, and the vulnerability is not listed in KEV, indicating no known mass exploitation. Attackers still need to craft a malicious request and rely on the victim to be authenticated to the device, making the exploitation likely reliant on social engineering or a compromised user session. Nevertheless, because CSRF can be triggered from any domain, the risk remains moderate until the vendor release is applied.

Generated by OpenCVE AI on June 10, 2026 at 03:20 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291 and later

OpenCVE Recommended Actions

  • Apply the vendor patch to Notification Center 1.10.0.3291 or later
  • Configure a Web Application Firewall or equivalent filter to block suspicious HTTP POST requests or limit access to the Notification Center service to trusted IP ranges
  • If a patch cannot be applied immediately, disable the Notification Center service or isolate it from external networks

Generated by OpenCVE AI on June 10, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291 and later
Title Notification Center
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-10T01:38:27.401Z

Reserved: 2025-09-03T00:59:25.448Z

Link: CVE-2025-58468

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T03:16:24.377

Modified: 2026-06-10T03:16:24.377

Link: CVE-2025-58468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T03:30:16Z

Weaknesses