Description
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3492 build 20260507 and later
QuTS hero h5.2.9.3499 build 20260514 and later
QuTS hero h5.3.4.3500 build 20260520 and later
QuTS hero h6.0.0.3500 build 20260520 and later
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored or reflected cross‑site scripting flaw in QNAP’s QTS and QuTS hero firmware. Attackers can inject arbitrary JavaScript into web pages viewed by other users, potentially bypassing authentication, stealing session tokens, or reading protected application data. The flaw is classified as CWE‑79 and is rated CVSS 8.7.

Affected Systems

The flaw affects QNAP Systems Inc. QTS and QuTS hero products. Firmware releases earlier than QTS 5.2.9.3492 build 20260507, QuTS hero h5.2.9.3499 build 20260514, QuTS hero h5.3.4.3500 build 20260520, and QuTS hero h6.0.0.3500 build 20260520 or earlier are impacted.

Risk and Exploitability

Attackers can exploit this XSS remotely by providing crafted URLs or form inputs that are rendered without proper escaping. The EPSS score is not available, so the exact likelihood of exploitation is unknown, but the high CVSS score indicates a serious potential impact on confidentiality and integrity. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits to date. The most effective mitigation is to apply the vendor‑released firmware updates.

Generated by OpenCVE AI on June 9, 2026 at 07:50 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

OpenCVE Recommended Actions

  • Upgrade immediately to the latest firmware releases: QTS 5.2.9.3492 build 20260507 or later, or to QuTS hero h5.2.9.3499 build 20260514, h5.3.4.3500 build 20260520, or h6.0.0.3500 build 20260520 or later.
  • Restrict access to the web management interface to trusted internal networks or VPN connections, disabling any unused web services on the device.
  • If the firmware supports a restriction or content security policy, enable it on the management interface to limit the execution of potentially malicious scripts until the patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems Inc.
Qnap Systems Inc. qts
Qnap Systems Inc. quts Hero
Vendors & Products Qnap Systems Inc.
Qnap Systems Inc. qts
Qnap Systems Inc. quts Hero

Tue, 09 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later
Title QTS, QuTS hero
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Qnap Systems Inc. Qts Quts Hero
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-09T13:12:39.716Z

Reserved: 2026-04-21T03:07:17.287Z

Link: CVE-2026-41539

cve-icon Vulnrichment

Updated: 2026-06-09T13:12:35.515Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T06:16:53.413

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:00:15Z

Weaknesses