Description
An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.

We have already fixed the vulnerability in the following version:
QuRouter 2.6.2.007 and later
Published: 2026-03-20
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Patch
AI Analysis

Impact

An SQL injection flaw in the QHora component of QNAP QuRouter enables an attacker who has local administrator privileges to inject malicious SQL statements. This capability can lead to the execution of unauthorized code or system commands on the device, compromising data confidentiality, integrity, and availability. The weakness is formally identified as CWE‑89.

Affected Systems

The vulnerability affects QNAP Systems Inc.’s QuRouter firmware versions 2.6.0.239 (build_20250625), 2.6.0.688 (build_20250818), and 2.6.1.028 (build_20251001). All releases prior to 2.6.2.007 are impacted; versions 2.6.2.007 and later contain the fix.

Risk and Exploitability

The CVSS base score of 7.3 indicates High severity, but the EPSS score of less than 1% and absence from the CISA KEV catalogue suggest a low likelihood of widespread exploitation. The attack requires local admin access, so the risk is confined to environments where such credentials exist or are poorly managed. Devices with exposed local admin interfaces remain the primary threat vector.

Generated by OpenCVE AI on April 14, 2026 at 15:32 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later

OpenCVE Recommended Actions

  • Upgrade QuRouter firmware to version 2.6.2.007 or later, which contains the patch for the SQL injection flaw.
  • If the upgrade cannot be applied immediately, restrict or disable the QHora feature and remove local administrator accounts that are not required for normal operation.
  • Implement least‑privilege policies for local accounts and enforce strong authentication to prevent unauthorized admin access.
  • Monitor system logs for signs of SQL injection activity or unauthorized command execution and respond promptly to any suspicious events.

Generated by OpenCVE AI on April 14, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qurouter
CPEs cpe:2.3:o:qnap:qurouter:2.6.0.239:build_20250625:*:*:*:*:*:*
cpe:2.3:o:qnap:qurouter:2.6.0.688:build_20250818:*:*:*:*:*:*
cpe:2.3:o:qnap:qurouter:2.6.1.028:build_20251001:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qurouter
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qurouter
Vendors & Products Qnap Systems
Qnap Systems qurouter

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later
Title QuRouter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U'}

Subscriptions

Qnap Qurouter
Qnap Systems Qurouter
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-25T14:03:08.625Z

Reserved: 2025-10-24T02:43:45.372Z

Link: CVE-2025-62846

cve-icon Vulnrichment

Updated: 2026-03-25T14:03:04.501Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:43.110

Modified: 2026-04-14T14:18:06.637

Link: CVE-2025-62846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:51Z

Weaknesses