CVE-2025-62846 - Vulnerability Details - OpenCVE

An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.

We have already fixed the vulnerability in the following version:
QuRouter 2.6.2.007 and later

Attack Vector Local

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

QNAP Systems Inc.

QuRouter

unaffected

Version	Status	Constraints
`2.6.x`	affected	< 2.6.2.007

No data.

No data.

No data.

Subscriptions

No data.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Fixes

Solution

We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-26-12

History

Fri, 20 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later
Title		QuRouter
Weaknesses		CWE-89
References		https://www.qnap.com/en/security-advisory/qsa-26-12
Metrics		cvssV4_0 `{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U'}`

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2026-03-20T16:21:46.008Z

Updated: 2026-03-20T16:21:46.008Z

Reserved: 2025-10-24T02:43:45.372Z

Link: CVE-2025-62846

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-20T17:16:43.110

Modified: 2026-03-20T17:16:43.110

Link: CVE-2025-62846

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62846", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2025-10-24T02:43:45.372Z", "datePublished": "2026-03-20T16:21:46.008Z", "dateUpdated": "2026-03-20T16:21:46.008Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:21:46.008Z"}, "title": "QuRouter", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuRouter", "versions": [{"status": "affected", "version": "2.6.x", "lessThan": "2.6.2.007", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.<br><br>We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.2.007 and later<br>"}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-12"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U"}}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.2.007 and later<br>"}]}], "credits": [{"lang": "en", "value": "Pwn2Own 2025 - Team DDOS", "type": "finder"}], "source": {"advisory": "QSA-26-12", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later"}], "id": "CVE-2025-62846", "lastModified": "2026-03-20T17:16:43.110", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2026-03-20T17:16:43.110", "references": [{"source": "security@qnapsecurity.com.tw", "url": "https://www.qnap.com/en/security-advisory/qsa-26-12"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@qnapsecurity.com.tw", "type": "Primary"}]}