VYPR
Published Jun 10, 2026· 1 source

QNAP QuTS hero: 12 Vulnerabilities Disclosed, Including Command Injection and XSS

Key findings • Twelve QNAP QuTS hero vulnerabilities disclosed between June 9-10, 2026. • Includes critical and high-severity command injection flaws allowing arbitrary code execution. • …

Key findings

  • Twelve QNAP QuTS hero vulnerabilities disclosed between June 9-10, 2026.
  • Includes critical and high-severity command injection flaws allowing arbitrary code execution.
  • A high-severity XSS vulnerability (CVE-2026-41539) was also disclosed.
  • Other vulnerabilities include path traversal, DoS, integer overflow, and buffer overflow.
  • Patches are available for affected QuTS hero versions, with specific build numbers provided.

QNAP has released security updates to address a substantial cluster of twelve vulnerabilities affecting its QuTS hero operating system. The disclosures, which occurred across June 9th and 10th, 2026, encompass a range of security risks, including critical command injection flaws that could permit arbitrary code execution, and a high-severity cross-site scripting (XSS) vulnerability. These vulnerabilities could allow remote attackers to compromise the security of affected systems.

The batch includes several command injection vulnerabilities, such as CVE-2026-24719, CVE-2026-22893, CVE-2025-66279, and CVE-2025-66273. Exploiting these flaws could enable remote attackers with administrator privileges to execute arbitrary commands on the system. Another critical vulnerability, CVE-2026-41539, is a cross-site scripting (XSS) flaw that could allow attackers to bypass security mechanisms or read sensitive application data.

Beyond command injection and XSS, the disclosed vulnerabilities also include path traversal issues (CVE-2026-24717), which could allow attackers to read unexpected files or system data. Several NULL pointer dereference vulnerabilities, including CVE-2026-24716, CVE-2025-66281, and CVE-2025-62850, were reported, potentially leading to denial-of-service (DoS) conditions. Additionally, an integer overflow or wraparound vulnerability (CVE-2025-66280) and a buffer overflow vulnerability (CVE-2025-62858) were part of this disclosure, both capable of compromising system security or leading to process crashes.

While the descriptions for CVE-2025-59382 indicate that QTS, QuTS hero, and QuTScloud are not affected by this specific vulnerability, it was still part of the broader disclosure event. The vendor has provided specific build numbers for patched versions, indicating that fixes are available for affected systems. For instance, CVE-2026-24719 and CVE-2026-41539 were patched in QTS 5.2.9.3492 build 20260507 and QTS 5.2.9.3492 build 20260 respectively, while other vulnerabilities were addressed in builds like QTS 5.2.9.3410 build 20260.

Users of QNAP QuTS hero are strongly advised to review the available security advisories and apply the necessary updates promptly. The disclosure of multiple high-severity vulnerabilities, particularly those allowing command execution and XSS, underscores the importance of maintaining up-to-date firmware to protect against potential exploitation. The swift patching by QNAP indicates a proactive approach to addressing these security concerns.

Synthesized by Vypr AI