High severityNVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-24719

Description

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later

Affected products

Qnap/QNAP operating systemllm-fuzzy
Range: prior to QTS 5.2.9.3492 build 20260507 and prior to QuTS hero h5.2.9.3499 build 20260514

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.qnap.com/en/security-advisory/qsa-26-23nvd

News mentions

QNAP QTS: Critical Command Injection and XSS Flaws Disclosed in Batch
Vypr Intelligence · Jun 10, 2026
QNAP QuTS hero: 12 Vulnerabilities Disclosed, Including Command Injection and XSS
Vypr Intelligence · Jun 10, 2026

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000