Description
A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities.

We have already fixed the vulnerability in the following version:
Notification Center 1.10.0.3291 and later
Published: 2026-06-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVE-2025-58468 is a cross‑site request forgery flaw in QNAP Systems Inc.’s Notification Center. A remote attacker can forge a request that a victim’s browser already authenticates, enabling the attacker to perform actions with the victim’s privileges or hijack the user account. The flaw is a standard CSRF weakness (CWE‑352) that can result in unauthorized access, configuration changes, or other privileged operations on the affected device.

Affected Systems

The vulnerability affects QNAP Systems Inc.’s Notification Center software prior to release 1.10.0.3291. The affected versions include all builds older than 1.10.0.3291, which are running on QNAP NAS devices that host the Notification Center service.

Risk and Exploitability

The CVSS score of 5.1 places the flaw in the medium‑severity range. EPSS is not available, and the vulnerability is not listed in KEV, indicating no known mass exploitation. Attackers still need to craft a malicious request and rely on the victim to be authenticated to the device, making the exploitation likely reliant on social engineering or a compromised user session. Nevertheless, because CSRF can be triggered from any domain, the risk remains moderate until the vendor release is applied.

Generated by OpenCVE AI on June 10, 2026 at 03:20 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291 and later

OpenCVE Recommended Actions

  • Apply the vendor patch to Notification Center 1.10.0.3291 or later
  • Configure a Web Application Firewall or equivalent filter to block suspicious HTTP POST requests or limit access to the Notification Center service to trusted IP ranges
  • If a patch cannot be applied immediately, disable the Notification Center service or isolate it from external networks

Generated by OpenCVE AI on June 10, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems notification Center
Vendors & Products Qnap Systems
Qnap Systems notification Center

Wed, 10 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291 and later
Title Notification Center
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Qnap Systems Notification Center
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-10T16:02:34.031Z

Reserved: 2025-09-03T00:59:25.448Z

Link: CVE-2025-58468

cve-icon Vulnrichment

Updated: 2026-06-10T16:02:30.432Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T03:16:24.377

Modified: 2026-06-10T19:43:28.857

Link: CVE-2025-58468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:23Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)