Medium severityNVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2025-66281

Description

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Affected products

Qnap/Qtsllm-fuzzy
Range: before 5.2.9.3410 build 20260214
Qnap/QuTS herollm-fuzzy
Range: before h5.2.9.3410 build 20260214, before h5.3.4.3500 build 20260520, before h6.0.0.3397 build 20260206

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.qnap.com/en/security-advisory/qsa-26-10nvd

News mentions

QNAP QTS: Critical Command Injection and XSS Flaws Disclosed in Batch
Vypr Intelligence · Jun 10, 2026
QNAP QuTS hero: 12 Vulnerabilities Disclosed, Including Command Injection and XSS
Vypr Intelligence · Jun 10, 2026

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000