Description
A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions:
QuFTP Service 1.4.3 and later
QuFTP Service 1.5.2 and later
QuFTP Service 1.6.2 and later
Published: 2026-03-20
Score: 2.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting allowing privileged code execution or data exposure
Action: Patch Immediately
AI Analysis

Impact

A cross‑site scripting vulnerability exists in QNAP’s QuFTP Service. When an attacker obtains an administrator account, they can insert malicious scripts that run in the context of the service, enabling them to bypass controls or read application data. The flaw is identified as CWE‑79.

Affected Systems

The affected product is QNAP Systems Inc.’s QuFTP Service. All releases prior to the patched versions 1.4.3, 1.5.2 and 1.6.2 are vulnerable. Updated releases containing these patches should be deployed to any environment running the service.

Risk and Exploitability

The CVSS score of 2.2 reflects low technical severity, but the requirement for administrator access raises the practical risk. Exploitation is remote and depends on privileged credentials. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog. If an administrator account is compromised or exposed, the risk to confidentiality and integrity increases significantly.

Generated by OpenCVE AI on March 20, 2026 at 17:51 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later

OpenCVE Recommended Actions

  • Update QuFTP Service to version 1.4.3 or later (including 1.5.2 and 1.6.2) to apply the vendor fix.
  • Verify the installed version of the service to confirm it is one of the patched releases.
  • Limit administrator access to trusted IP addresses and enforce strong authentication to reduce credential compromise.
  • Monitor web application logs for unusual script injection attempts and perform regular security reviews of the QuFTP configuration.

Generated by OpenCVE AI on March 20, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap quftp
CPEs cpe:2.3:a:qnap:quftp:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap quftp
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems quftp Service
Vendors & Products Qnap Systems
Qnap Systems quftp Service

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later
Title QuFTP Service
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U'}

Subscriptions

Qnap Quftp
Qnap Systems Quftp Service
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-25T14:03:29.588Z

Reserved: 2026-01-13T07:49:08.783Z

Link: CVE-2026-22895

cve-icon Vulnrichment

Updated: 2026-03-25T14:03:26.323Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:43.980

Modified: 2026-04-10T20:51:58.103

Link: CVE-2026-22895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:09Z

Weaknesses