Medium severity6.7NVD Advisory· Published Mar 20, 2026· Updated Apr 14, 2026
CVE-2025-62846
CVE-2025-62846
Description
An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.
We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5Patches
Vulnerability mechanics
References
1- www.qnap.com/en/security-advisory/qsa-26-12nvdVendor Advisory
News mentions
1- ZDI-26-241: (Pwn2Own) QNAP QHora-322 qvpn_db_mgr username SQL Injection Remote Code Execution VulnerabilityZero Day Initiative · Mar 30, 2026