These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-26237 is a high-severity vulnerability in QuMagie, a QNAP product. The vulnerability has a CVSS score of 8.7 and allows remote attackers to access unauthorized data or perform unauthorized actions due to a missing authorization issue. The vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt].
CVE-2026-24720 is a vulnerability in QNAP File Station 6, which allows an attacker with a user account to cause a denial of service by preventing other systems, applications, or processes from accessing the same type of resource. The vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. QNAP has fixed the vulnerability in File Station 5 version 5.5.6.5243 and later.
CVE-2026-24719 is a HIGH severity command injection vulnerability affecting several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. The vulnerability has already been fixed in QTS 5.2.9.3492 build 20260507 and later, and QuTS hero h5.2.9.3499 build 20260514 and later.
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
CVE-2026-24716 is a NULL pointer dereference vulnerability affecting several QNAP operating system versions. A remote attacker with administrator privileges can exploit this vulnerability to launch a denial-of-service (DoS) attack. The vulnerability has been fixed in QTS 5.2.9.3492 build 20260507 and later, QuTS hero h5.2.9.3499 build 20260514 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and [truncated]
CVE-2026-22893 is a high-severity command injection vulnerability affecting several QNAP operating system versions. An attacker with administrator privileges on a remote system can exploit this vulnerability to execute arbitrary commands. The vulnerability has been fixed in QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and lat [truncated]
CVE-2025-66280 is a medium-severity vulnerability (CVSS score: 5.1) affecting several QNAP operating system versions. The vulnerability is caused by an integer overflow or wraparound weakness, which can be exploited by a remote attacker with administrator privileges to compromise the security of the system. QNAP has released patched versions to address this issue: QTS 5.2.9.3410 build 20260214 and later, [truncated]
CVE-2025-66279 is a high-severity command injection vulnerability affecting several QNAP operating system versions. An attacker with administrator privileges, after gaining access, can exploit this vulnerability to execute arbitrary commands. The vulnerability has been addressed in the following versions: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5 [truncated]
CVE-2025-66273 is a high-severity command injection vulnerability affecting several QNAP operating system versions. An attacker with administrator privileges, after gaining access, can exploit this vulnerability to execute arbitrary commands. The vulnerability has been addressed in the following versions: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5 [truncated]
CVE-2025-62850 is a NULL pointer dereference vulnerability affecting several QNAP operating system versions. A remote attacker with administrator privileges can exploit this vulnerability to launch a denial-of-service (DoS) attack. The vulnerability has been fixed in QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero h6.0.0.3459 build 20260409 and later.
CVE-2025-59382 is a vulnerability with a CVSS score of 1.2 and a severity of LOW. The affected products and details about the vulnerability can be found in the official CVE record [cve-org] and NVD detail [nvd]. According to the vendor, QTS, QuTS hero, QuTScloud are not affected. The vulnerability has already been fixed in a specified version.
A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. The vulnerability has already been fixed in Notification Center 1.10.0.3291 and later.