Description
A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.

We have already fixed the vulnerability in the following version:
License Center 1.9.56 and later
Published: 2026-06-10
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated local attacker with administrator privileges can exploit a path traversal flaw in QNAP License Center, allowing the reader to resolve and access arbitrary file paths outside the intended directory. This flaw can expose sensitive configuration files, system data, or other protected content, potentially compromising confidentiality of the host. The weakness falls under CWE‑22, indicating unvalidated file path traversal.

Affected Systems

QNAP Systems Inc. License Center versions prior to 1.9.56, specifically 1.9.55 and earlier, are vulnerable. The issue was fixed in the 1.9.56 release and later. Only installations of License Center that have not been updated to at least 1.9.56 are at risk.

Risk and Exploitability

With a CVSS base score of 4.6, the vulnerability is considered moderate. The EPSS score is 0.00246, indicating a very low but non‑zero likelihood of exploitation, and it is not listed in the CISA KEV catalog. Because exploitation requires local administrator access, the attack surface is limited to users who already have administrative privileges. If such access is obtained, the attacker can read arbitrary files, but remote exploitation and privilege escalation are not possible.

Generated by OpenCVE AI on June 17, 2026 at 19:28 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: License Center 1.9.56 and later

OpenCVE Recommended Actions

  • Upgrade QNAP License Center to version 1.9.56 or later.
  • Restrict local administrator accounts to the minimum necessary permissions to prevent unnecessary file access.
  • Conduct an audit of file permissions and access controls on affected hosts to ensure no sensitive files remain exposed through the application.

Generated by OpenCVE AI on June 17, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Fri, 12 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap license Center
CPEs cpe:2.3:a:qnap:license_center:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap license Center
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems license Center
Vendors & Products Qnap Systems
Qnap Systems license Center

Wed, 10 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: License Center 1.9.56 and later
Title License Center
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Qnap License Center
Qnap Systems License Center
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-17T01:53:08.353Z

Reserved: 2025-10-24T02:43:49.268Z

Link: CVE-2025-62851

cve-icon Vulnrichment

Updated: 2026-06-10T15:55:52.159Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T04:17:11.913

Modified: 2026-06-12T13:47:40.827

Link: CVE-2025-62851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T19:30:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')