Description
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3492 build 20260507 and later
QuTS hero h5.2.9.3499 build 20260514 and later
QuTS hero h5.3.4.3500 build 20260520 and later
QuTS hero h6.0.0.3500 build 20260520 and later
Published: 2026-06-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a cross‑site scripting flaw that allows remote attackers to inject malicious JavaScript into web pages served by QNAP's QTS and QuTS hero firmware. The injected script is executed in the victim's browser, which can read application data, modify page content, or bypass authentication controls. The issue is classified as CWE‑79 and the CVSS score of 6.3 indicates a moderate impact on confidentiality and integrity.

Affected Systems

The flaw affects QNAP Systems Inc. QTS devices running firmware earlier than 5.2.9.3492 build 20260507 and QuTS hero devices with firmware prior to 5.2.9.3499 build 20260514, 5.3.4.3500 build 20260520, or 6.0.0.3500 build 20260520. Earlier firmware versions listed in the advisory are also impacted.

Risk and Exploitability

Attackers can exploit this XSS remotely through the web management interface by submitting specially crafted input that is not properly escaped. The likely attack vector is the web interface that accepts user‑supplied data. The EPSS score of less than 1 % reflects a very low but non‑zero likelihood of exploitation at present. The CVSS score of 6.3 represents a moderate risk, and the vulnerability is not included in the CISA KEV catalog, indicating no known public exploits. The most effective mitigation is to apply the vendor‑released firmware updates immediately.

Generated by OpenCVE AI on June 30, 2026 at 04:50 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later


OpenCVE Recommended Actions

  • Upgrade firmware to the latest release: QTS 5.2.9.3492 build 20260507 or later, or QuTS hero h5.2.9.3499 build 20260514, h5.3.4.3500 build 20260520, or h6.0.0.3500 build 20260520 or later.
  • Restrict access to the management interface to trusted internal networks or VPN connections, disabling any unused web services.
  • If the firmware provides a content security policy or similar restriction, enable it on the web interface to limit the execution of malicious scripts until the patch can be applied.

Generated by OpenCVE AI on June 30, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}


Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qts
Qnap quts Hero
CPEs cpe:2.3:o:qnap:qts:5.2.0.2737:build_20240417:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.0.2744:build_20240424:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.0.2782:build_20240601:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.0.2802:build_20240620:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.0.2823:build_20240711:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.0.2851:build_20240808:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.0.2860:build_20240817:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.1.2930:build_20241025:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.2.2950:build_20241114:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.3.3006:build_20250108:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.4.3070:build_20250312:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.4.3079:build_20250321:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.4.3092:build_20250403:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.5.3145:build_20250526:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.6.3195:build_20250715:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.6.3229:build_20250818:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.7.3256:build_20250913:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.7.3297:build_20251024:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.8.3332:build_20251128:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.8.3350:build_20251216:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.8.3359:build_20251225:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.9.3410:build_20260214:*:*:*:*:*:*
cpe:2.3:o:qnap:qts:5.2.9.3451:build_20260327:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.0.2737:build_20240417:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.0.2782:build_20240601:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.0.2789:build_20240607:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.0.2802:build_20240620:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.0.2823:build_20240711:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.0.2851:build_20240808:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.0.2860:build_20240817:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.1.2929:build_20241025:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.1.2940:build_20241105:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.2.2952:build_20241116:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.3.3006:build_20250108:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.4.3070:build_20250312:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.4.3079:build_20250321:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.5.3138:build_20250519:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.6.3195:build_20250715:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.7.3256:build_20250913:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.7.3297:build_20251024:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.8.3321:build_20251117:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.8.3350:build_20251216:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.8.3359:build_20251225:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.9.3410:build_20260214:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.2.9.3492:build_20260507:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.3.0.3115:build_20250430:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.3.0.3145:build_20250530:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.3.0.3192:build_20250716:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.3.1.3250:build_20250912:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.3.1.3292:build_20251024:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.3.2.3354:build_20251225:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h5.3.3.3424:build_20260305:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h6.0.0.3324:build_20251125:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h6.0.0.3382:build_20260122:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h6.0.0.3397:build_20260206:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:h6.0.0.3459:build_20260409:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qts
Qnap quts Hero
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 09 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems Inc.
Qnap Systems Inc. qts
Qnap Systems Inc. quts Hero
Vendors & Products Qnap Systems Inc.
Qnap Systems Inc. qts
Qnap Systems Inc. quts Hero

Tue, 09 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later
Title QTS, QuTS hero
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Qnap Qts Quts Hero
Qnap Systems Inc. Qts Quts Hero
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-30T01:47:14.324Z

Reserved: 2026-04-21T03:07:17.287Z

Link: CVE-2026-41539

cve-icon Vulnrichment

Updated: 2026-06-09T13:12:35.515Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T06:16:53.413

Modified: 2026-06-12T15:37:43.163

Link: CVE-2026-41539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T05:00:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')