QNAP: Four Vulnerabilities Disclosed Together on June 9, 2026
Key findings • Four QNAP vulnerabilities disclosed on June 9, 2026. • Three High-severity flaws impact QuMagie and QTS. • CVE-2026-44083 and CVE-2026-26236 are authorization bypass issues…
Key findings
- Four QNAP vulnerabilities disclosed on June 9, 2026.
- Three High-severity flaws impact QuMagie and QTS.
- CVE-2026-44083 and CVE-2026-26236 are authorization bypass issues in QuMagie.
- CVE-2026-41539 is an XSS vulnerability affecting QTS.
- CVE-2025-62858 is a Medium-severity buffer overflow in QTS.
- Patches are available for affected QNAP QTS and QuMagie versions.
QNAP disclosed a cluster of four security vulnerabilities on June 9, 2026, affecting its QTS operating system and the QuMagie photo management application. The batch includes three High-severity flaws and one Medium-severity issue, all patched by the vendor on the same day.
The vulnerabilities present a range of security risks, including authorization bypass, buffer overflows, and cross-site scripting (XSS).
Two of the High-severity vulnerabilities, CVE-2026-44083 and CVE-2026-26236, specifically target the QuMagie application. CVE-2026-44083 is an authorization bypass vulnerability that could allow remote attackers to gain unintended privileges. CVE-2026-26236 is a missing authorization vulnerability, potentially enabling remote attackers to access unauthorized data or perform unauthorized actions. Both QuMagie vulnerabilities have been fixed in QuMagie version 2.9.1 and later for CVE-2026-44083, and version 2.9.0 and later for CVE-2026-26236.
A third High-severity vulnerability, CVE-2026-41539, affects several QNAP operating system versions. This cross-site scripting (XSS) vulnerability could allow remote attackers to bypass security mechanisms or read application data. The fix for this issue is available in QTS version 5.2.9.3492 build 20260507 and later.
The Medium-severity vulnerability, CVE-2025-62858, also impacts several QNAP operating system versions. This buffer overflow vulnerability, if exploited by an attacker with administrator privileges, could lead to memory modification or process crashes. QNAP has addressed this in QTS version 5.2.9.3410 build 2, and later.
QNAP has provided specific version numbers for the patches addressing these vulnerabilities, urging users to update their systems and applications promptly to mitigate the risks associated with these security flaws. The swift disclosure and patching of these issues highlight the vendor's ongoing efforts to maintain the security posture of its products.
The Qilin ransomware attack, which originally impacted Synnovis and the NHS, continues to reveal its scope over two years later. Mid and South Essex Foundation Trust has now confirmed that approximately 2,380 patient records were compromised in the breach, adding to the nearly 33,000 records disclosed by Bedfordshire Hospitals NHS Foundation Trust. This latest disclosure highlights the protracted fallout from the incident, with the trust only being informed of its involvement in December 2025, long after Synnovis completed its forensic review.