These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. This medium-severity vulnerability has been fixed in File Station 5 version 5.5.6.5243 and later.
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. The vulnerability has already been fixed in File Station 5 version 5.5.6.5243 and later.
A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes.
CVE-2026-24724 is an incorrect authorization vulnerability affecting QNAP File Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. The vulnerability has been fixed in File Station 5 version 5.5.6.5243 and later.
CVE-2026-22899 is a NULL pointer dereference vulnerability affecting QNAP File Station 6. A remote attacker with a user account can exploit this vulnerability to launch a denial-of-service (DoS) attack. The vulnerability has been fixed in File Station 5 version 5.5.6.5208 and later.
CVE-2025-66281 is a NULL pointer dereference vulnerability reported in several QNAP operating system versions. This vulnerability allows remote attackers to launch a denial-of-service (DoS) attack. The vulnerability has been fixed in the following versions: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero [truncated]
CVE-2025-66276 is a critical vulnerability in QNAP QTS, with a CVSS score of 9.2. The vulnerability has been fixed in QTS 5.2.7.3256 build 20250913 and later. QuTS hero is not affected by this vulnerability.
CVE-2023-47565 is a QNAP VioStor NVR OS command injection vulnerability that CISA listed in its Known Exploited Vulnerabilities catalog on 2023-12-21. The presence of this entry means the issue is known to be exploited in the wild, so defenders should treat it as a high-priority remediation item. CISA’s guidance for KEV entries is to apply vendor mitigations or discontinue use of the product if mitigation [truncated]
CVE-2022-27593 is a QNAP Photo Station vulnerability described as an externally controlled reference issue. CISA added it to the Known Exploited Vulnerabilities catalog on 2022-09-08, and the supplied metadata marks it as associated with known ransomware campaign use. Because the corpus does not include a CVSS score or detailed impact analysis, defenders should treat this as a prioritized patching and exp [truncated]
CVE-2019-7195 is a QNAP Photo Station path traversal vulnerability that CISA has listed in the Known Exploited Vulnerabilities catalog. The KEV entry marks it as actively exploited and notes known ransomware campaign use. CISA’s required action is to apply updates per vendor instructions, with a due date of 2022-06-22 based on the 2022-06-08 KEV addition.
CVE-2019-7194 is a QNAP Photo Station path traversal vulnerability that CISA has added to its Known Exploited Vulnerabilities catalog. Because CISA flags it as actively exploited and notes known ransomware campaign use, defenders should treat it as a priority remediation item and follow vendor update guidance.
CVE-2019-7193 is a QNAP QTS improper input validation vulnerability that CISA lists in its Known Exploited Vulnerabilities catalog. The KEV entry indicates known exploitation, and CISA also marks the issue as having known ransomware campaign use. Because the supplied corpus does not include a CVSS score or affected-version details, defenders should treat this as a high-priority patching and exposure-manag [truncated]
CVE-2019-7192 is a QNAP Photo Station improper access control vulnerability that CISA lists in the Known Exploited Vulnerabilities catalog. CISA also marks it as having known ransomware campaign use, which makes this a high-priority remediation item for any exposed QNAP Photo Station deployment. The available source material does not provide deeper technical detail, so the safest response is to follow the [truncated]
CVE-2018-19953 is a cross-site scripting vulnerability affecting QNAP NAS File Station. CISA lists it in the Known Exploited Vulnerabilities catalog and marks known ransomware campaign use, so unpatched or exposed QNAP NAS environments should treat remediation as urgent.
CVE-2018-19949 is a QNAP NAS File Station command injection vulnerability that CISA has listed in its Known Exploited Vulnerabilities catalog. Because it is marked as known to be exploited and associated with known ransomware campaign use, organizations should treat exposed QNAP NAS systems as high-priority assets for patching, exposure review, and monitoring. The public source provided here does not incl [truncated]
CVE-2018-19943 is a cross-site scripting vulnerability affecting QNAP NAS File Station. CISA lists it in the Known Exploited Vulnerabilities catalog, which means it has been observed in active exploitation. CISA also marks it as having known ransomware campaign use, so exposed or internet-reachable QNAP NAS management interfaces should be treated as high priority for remediation.
CVE-2020-2509 is a command injection vulnerability affecting QNAP Network-Attached Storage (NAS). The main defensive signal in the supplied records is CISA’s inclusion of this CVE in the Known Exploited Vulnerabilities catalog, which means organizations should treat it as an active patching priority rather than a routine advisory.
CVE-2021-28799 is a QNAP Network Attached Storage (NAS) improper authorization vulnerability that CISA added to the Known Exploited Vulnerabilities (KEV) catalog on 2022-03-31. CISA also records it as having known ransomware campaign use and set a remediation due date of 2022-04-21. Based on the official KEV record, the key defensive takeaway is straightforward: this is a publicly tracked, actively exploi [truncated]