Description
A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions:
QuFTP Service 1.4.3 and later
QuFTP Service 1.5.2 and later
QuFTP Service 1.6.2 and later
Published: 2026-03-20
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting flaw in QNAP's QuFTP Service allows a remote attacker who has acquired an administrator account to inject malicious scripts into the web interface. The injected code can read application data and potentially bypass existing security checks, creating opportunities for defacement, data theft, or credential hijacking. The weakness is identified as CWE‑79 and is limited to scenarios where privileged credentials are present.

Affected Systems

QNAP Systems Inc. provides the QuFTP Service. Any release prior to QuFTP Service 1.4.3, 1.5.2, or 1.6.2 is vulnerable. Users running these older versions should be aware that the issue affects the entire application exposed through the web management console.

Risk and Exploitability

The CVSS score is 6.2 and the EPSS score is below 1 %, indicating a medium but existing risk. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have an administrator login; the likely attack vector, inferred from the nature of the flaw, is through the web interface where user‑controlled input is reflected in rendered pages. Given the medium severity and the privileged‑user prerequisite, the overall threat is moderate until the patch is deployed.

Generated by OpenCVE AI on June 9, 2026 at 05:51 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later

OpenCVE Recommended Actions

  • Upgrade QuFTP Service to version 1.4.3 or later, 1.5.2 or later, or 1.6.2 or later, depending on the currently running release.
  • Reduce the attack surface by disabling or restricting web interface access for administrator accounts and removing any unnecessary administrator accounts.
  • Monitor system logs for unusual scripting activity or attempted exploitation and investigate any alerts promptly.

Generated by OpenCVE AI on June 9, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 2.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U'}

 cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap quftp
CPEs cpe:2.3:a:qnap:quftp:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap quftp
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems quftp Service
Vendors & Products Qnap Systems
Qnap Systems quftp Service

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later
Title QuFTP Service
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U'}

Subscriptions

Qnap Quftp
Qnap Systems Quftp Service
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-09T04:12:16.251Z

Reserved: 2026-01-13T07:49:08.783Z

Link: CVE-2026-22895

cve-icon Vulnrichment

Updated: 2026-03-25T14:03:26.323Z

cve-icon NVD

Status : Modified

Published: 2026-03-20T17:16:43.980

Modified: 2026-06-09T05:16:34.237

Link: CVE-2026-22895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T06:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')