High severityNVD Advisory· Published Jun 9, 2026

CVE-2026-41539

Description

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

Affected products

Qnap/Qtsllm-fuzzy
Range: >=5.2.9.3492 build 20260507
Qnap/QuTS herollm-fuzzy
Range: >=h5.2.9.3499 build 20260514, >=h5.3.4.3500 build 20260520, >=h6.0.0.3500 build 20260520

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.qnap.com/en/security-advisory/qsa-26-31nvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000