PatchSiren cyber security CVE debrief
CVE-2026-22895 QNAP Systems Inc. CVE debrief
A cross-site scripting (XSS) vulnerability has been reported in QuFTP Service. Successful exploitation requires an attacker to have administrator account credentials, allowing them to bypass security mechanisms or read application data.
- Vendor
- QNAP Systems Inc.
- Product
- QuFTP Service
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-20
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-03-20
- Advisory updated
- 2026-06-09
Who should care
Users of QuFTP Service versions prior to 1.4.3, 1.5.2, or 1.6.2 should apply patches to prevent exploitation.
Technical summary
CVE-2026-22895 is a medium-severity (CVSS Score: 6.2) cross-site scripting (XSS) vulnerability in QuFTP Service. An attacker with administrator account credentials can exploit this vulnerability to bypass security mechanisms or read application data.
Defensive priority
Medium
Recommended defensive actions
- Apply patches: Upgrade to QuFTP Service version 1.4.3, 1.5.2, or 1.6.2 or later.
- Restrict access: Limit access to QuFTP Service to trusted users and networks.
- Monitor for suspicious activity: Regularly review QuFTP Service logs for potential exploitation attempts.
Evidence notes
CVE-2026-22895 was published on [cvePublishedAt] and modified on [cveModifiedAt].
Official resources
-
CVE-2026-22895 CVE record
CVE.org
-
CVE-2026-22895 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-22895 was published on 2026-03-20T17:16:43.980Z and modified on 2026-06-09T05:16:34.237Z.