Description
An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.

We have already fixed the vulnerability in the following version:
QuRouter 2.6.3.009 and later
Published: 2026-03-20
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local vulnerability leading to unexpected behavior
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in QHora arises from improper neutralization of escape, meta, or control sequences. If a local attacker gains an administrator account, they can use this flaw to trigger unexpected behavior within the system. This weakness can potentially disrupt normal operations or expose sensitive information, depending on the context of the exploited feature.

Affected Systems

Vendor QNAP Systems Inc. provides the QuRouter device. All builds of the product before version 2.6.3.009 are considered susceptible, as the vendor’s advisory states the issue is corrected starting from that release.

Risk and Exploitability

The CVSS score of 5.6 indicates moderate severity, and the lack of a publicly disclosed exploit or inclusion in the CISA KEV list suggests limited current threat. However, the flaw requires local administrative access, which attackers might achieve through physical access or compromise of other privileged accounts. Updating to the patched firmware is the most effective countermeasure.

Generated by OpenCVE AI on March 20, 2026 at 17:23 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later

OpenCVE Recommended Actions

  • Upgrade to QuRouter 2.6.3.009 or later
  • Verify the firmware version has been updated to the patched release
  • Stay informed by monitoring QNAP’s security advisories for future updates

Generated by OpenCVE AI on March 20, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qurouter
CPEs cpe:2.3:o:qnap:qurouter:2.6.0.239:build_20250625:*:*:*:*:*:*
cpe:2.3:o:qnap:qurouter:2.6.0.688:build_20250818:*:*:*:*:*:*
cpe:2.3:o:qnap:qurouter:2.6.1.028:build_20251001:*:*:*:*:*:*
cpe:2.3:o:qnap:qurouter:2.6.2.007:build_20251027:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qurouter
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qurouter
Vendors & Products Qnap Systems
Qnap Systems qurouter

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later
Title QuRouter
Weaknesses CWE-150
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U'}

Subscriptions

Qnap Qurouter
Qnap Systems Qurouter
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-25T14:02:24.019Z

Reserved: 2025-10-24T02:43:45.372Z

Link: CVE-2025-62845

cve-icon Vulnrichment

Updated: 2026-03-25T14:02:18.992Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:42.560

Modified: 2026-04-14T14:25:40.667

Link: CVE-2025-62845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:07Z

Weaknesses