Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-62856

Summary
Assigner-qnap
Assigner Org ID-2fd009eb-170a-4625-932b-17a53af1051f
Published At-11 Feb, 2026 | 12:15
Updated At-11 Feb, 2026 | 16:50
Rejected At-
Credits

File Station 5

A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:qnap
Assigner Org ID:2fd009eb-170a-4625-932b-17a53af1051f
Published At:11 Feb, 2026 | 12:15
Updated At:11 Feb, 2026 | 16:50
Rejected At:
â–¼CVE Numbering Authority (CNA)
File Station 5

A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later

Affected Products
Vendor
QNAP Systems, Inc.QNAP Systems Inc.
Product
File Station 5
Default Status
unaffected
Versions
Affected
  • From 5.5.x before 5.5.6.5190 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22
Type: CWE
CWE ID: CWE-22
Description: CWE-22
Metrics
VersionBase scoreBase severityVector
4.01.3LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
Version: 4.0
Base score: 1.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-126CAPEC-126
CAPEC ID: CAPEC-126
Description: CAPEC-126
Solutions

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later

Configurations
Workarounds
Exploits
Credits
finder
coral
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.qnap.com/en/security-advisory/qsa-26-03
N/A
Hyperlink: https://www.qnap.com/en/security-advisory/qsa-26-03
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@qnapsecurity.com.tw
Published At:11 Feb, 2026 | 13:15
Updated At:12 Feb, 2026 | 19:45

A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.01.3LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.14.4MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 1.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 4.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CPE Matches
QNAP Systems, Inc.
qnap
>>file_station>>Versions from 5.5.6.4691(inclusive) to 5.5.6.5190(exclusive)
cpe:2.3:a:qnap:file_station:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-22Primarysecurity@qnapsecurity.com.tw
CWE ID: CWE-22
Type: Primary
Source: security@qnapsecurity.com.tw
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.qnap.com/en/security-advisory/qsa-26-03security@qnapsecurity.com.tw
Vendor Advisory
Hyperlink: https://www.qnap.com/en/security-advisory/qsa-26-03
Source: security@qnapsecurity.com.tw
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

58Records found
CVE-2025-68406
Matching Score-10
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-10
Assigner-QNAP Systems, Inc.
CVSS Score-1.3||LOW
EPSS-0.24% / 47.09%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:15
Updated-12 Feb, 2026 | 14:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-66278
Matching Score-10
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-10
Assigner-QNAP Systems, Inc.
CVSS Score-1.3||LOW
EPSS-0.24% / 47.09%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:15
Updated-12 Feb, 2026 | 19:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-62855
Matching Score-10
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-10
Assigner-QNAP Systems, Inc.
CVSS Score-1.3||LOW
EPSS-0.01% / 2.03%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:16
Updated-12 Feb, 2026 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-27599
Matching Score-8
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-8
Assigner-QNAP Systems, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.02% / 5.16%
||
7 Day CHG~0.00%
Published-08 Sep, 2023 | 01:58
Updated-26 Sep, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QVR Pro Client

An insertion of sensitive information into Log file vulnerability has been reported to affect product. If exploited, the vulnerability possibly provides local authenticated administrators with an additional, less-protected path to acquiring the information via unspecified vectors. We have already fixed the vulnerability in the following version: Windows 10 SP1, Windows 11, Mac OS, and Mac M1: QVR Pro Client 2.3.0.0420 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvr_pro_clientQVR Pro Client
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-23370
Matching Score-8
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-8
Assigner-QNAP Systems, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.02% / 5.79%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 16:35
Updated-19 Sep, 2024 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QVPN Device Client

An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to gain access to user accounts and access sensitive data used by the user account via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.1.0.0518 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvpnQVPN Windows
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-23371
Matching Score-8
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-8
Assigner-QNAP Systems, Inc.
CVSS Score-5.2||MEDIUM
EPSS-0.01% / 2.28%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 16:36
Updated-19 Sep, 2024 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QVPN Device Client

A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to read sensitive data via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.2.0.0823 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvpnQVPN Windows
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2024-21904
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.38% / 58.64%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 16:26
Updated-11 Sep, 2024 | 13:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-39299
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.13% / 32.69%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 16:34
Updated-05 Sep, 2024 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Music Station

A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: Music Station 4.8.11 and later Music Station 5.1.16 and later Music Station 5.3.23 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-music_stationMusic Stationmusic_station
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-7195
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-94.11% / 99.91%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 16:34
Updated-27 Oct, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-22||Apply updates per vendor instructions.

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-qtsphoto_stationQNAP NAS devices running Photo StationPhoto Station
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-7194
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-93.94% / 99.88%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 16:30
Updated-27 Oct, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-22||Apply updates per vendor instructions.

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-qtsphoto_stationQNAP NAS devices running Photo StationPhoto Station
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-37046
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-2.1||LOW
EPSS-0.11% / 30.23%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 15:33
Updated-23 Sep, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read the contents of unexpected files and expose sensitive data. We have already fixed the vulnerability in the following versions: QTS 5.2.1.2930 build 20241025 and later QuTS hero h5.2.1.2929 build 20241025 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-37043
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.11% / 30.23%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 15:33
Updated-23 Sep, 2025 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read the contents of unexpected files and expose sensitive data. We have already fixed the vulnerability in the following versions: QTS 5.2.1.2930 build 20241025 and later QuTS hero h5.2.1.2929 build 20241025 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-22894
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-1.3||LOW
EPSS-0.24% / 47.09%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:15
Updated-12 Feb, 2026 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

A path traversal vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-36197
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.1||HIGH
EPSS-2.59% / 85.27%
||
7 Day CHG~0.00%
Published-13 May, 2021 | 02:55
Updated-17 Sep, 2024 | 01:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control Vulnerability in Music Station

An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.3.16 on QTS 4.5.2; versions prior to 5.2.10 on QTS 4.3.6; versions prior to 5.1.14 on QTS 4.3.3; versions prior to 5.3.16 on QuTS hero h4.5.2; versions prior to 5.3.16 on QuTScloud c4.5.4.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-music_stationquts_heroqutscloudqtsMusic Station
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-32974
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.17% / 38.48%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 19:16
Updated-17 Sep, 2024 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.0.2444 build 20230629 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTScloud c5.1.0.2498 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTScloudQuTS heroQTSquts_heroqutscloudqts
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-2504
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.35% / 56.88%
||
7 Day CHG~0.00%
Published-24 Dec, 2020 | 01:39
Updated-17 Sep, 2024 | 00:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Absolute path traversal vulnerability in QES

If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qesQES
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-20
Improper Input Validation
CVE-2021-38693
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 50.02%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 16:50
Updated-16 Sep, 2024 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal in thttpd

A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTScloudQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2018-19945
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.40% / 60.06%
||
7 Day CHG~0.00%
Published-31 Dec, 2020 | 16:33
Updated-17 Sep, 2024 | 02:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Limitation of a Pathname to a Restricted Directory in QTS

A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qtsQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-20
Improper Input Validation
CVE-2015-6003
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-9.3||HIGH
EPSS-1.58% / 81.27%
||
7 Day CHG~0.00%
Published-16 Oct, 2015 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-qtsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2018-0722
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.37% / 58.39%
||
7 Day CHG~0.00%
Published-01 Feb, 2019 | 18:00
Updated-16 Sep, 2024 | 21:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path Traversal vulnerability in Photo Station versions: 5.7.2 and earlier in QTS 4.3.4, 5.4.4 and earlier in QTS 4.3.3, 5.2.8 and earlier in QTS 4.2.6 could allow remote attackers to access sensitive information on the device.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-photo_stationqtsPhoto Station
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-28798
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.40% / 60.11%
||
7 Day CHG~0.00%
Published-21 May, 2021 | 03:00
Updated-16 Sep, 2024 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Relative Path Traversal Vulnerability in QTS and QuTS hero

A relative path traversal vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to modify files that impact system integrity. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.2.1630 Build 20210406 and later QTS 4.3.6.1663 Build 20210504 and later QTS 4.3.3.1624 Build 20210416 and later QuTS hero h4.5.2.1638 Build 20210414 and later QNAP NAS running QTS 4.5.3 are not affected.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTS
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-62853
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.2||MEDIUM
EPSS-0.07% / 20.93%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:16
Updated-12 Feb, 2026 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-59384
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.1||HIGH
EPSS-0.07% / 21.35%
||
7 Day CHG~0.00%
Published-02 Jan, 2026 | 15:19
Updated-22 Jan, 2026 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qfiling

A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qfiling 3.13.1 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qfilingQfiling
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-59380
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.07% / 21.19%
||
7 Day CHG~0.00%
Published-02 Jan, 2026 | 15:18
Updated-06 Jan, 2026 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qtsquts_heroQTSQuTS hero
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-58470
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-1.3||LOW
EPSS-0.24% / 47.09%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:16
Updated-12 Feb, 2026 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-59381
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.07% / 21.19%
||
7 Day CHG~0.00%
Published-02 Jan, 2026 | 15:19
Updated-06 Jan, 2026 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qtsquts_heroQTSQuTS hero
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-57712
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4||MEDIUM
EPSS-0.08% / 23.24%
||
7 Day CHG~0.00%
Published-07 Nov, 2025 | 15:11
Updated-14 Nov, 2025 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.3 ( 2025/08/28 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54162
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 44.63%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:17
Updated-12 Feb, 2026 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5068 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-73
External Control of File Name or Path
CVE-2023-51364
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-10.78% / 93.18%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:01
Updated-10 Dec, 2025 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTScloudQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-52861
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7||HIGH
EPSS-0.37% / 58.15%
||
7 Day CHG+0.04%
Published-29 Aug, 2025 | 17:17
Updated-02 Sep, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VioStor

A path traversal vulnerability has been reported to affect VioStor. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: VioStor 5.1.6 build 20250621 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-VioStor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-51365
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-12.17% / 93.65%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:01
Updated-10 Dec, 2025 | 22:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTScloudQuTS heroQTSquts_heroqts
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-51366
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-0.28% / 51.08%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 16:26
Updated-11 Sep, 2024 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-47222
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.36% / 57.64%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:01
Updated-05 Dec, 2025 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Media Streaming add-on

An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.5 ( 2024/01/22 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-media_streaming_add-onMedia Streaming add-on media_streaming_add-on
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-287
Improper Authentication
CVE-2023-47221
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 14.14%
||
7 Day CHG~0.00%
Published-08 Mar, 2024 | 16:15
Updated-02 Aug, 2024 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Photo Station

A path traversal vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-Photo Station
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-41290
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.21% / 43.05%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:01
Updated-24 Sep, 2025 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QuFirewall

A path traversal vulnerability has been reported to affect QuFirewall. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: QuFirewall 2.4.1 ( 2024/02/01 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qufirewallQuFirewallqufirewall
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-45027
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 17.55%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 16:05
Updated-02 Aug, 2024 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTScloudQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-45026
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 17.55%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 16:05
Updated-07 Nov, 2024 | 21:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTScloudQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-41291
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.08% / 24.60%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:01
Updated-24 Sep, 2025 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QuFirewall

A path traversal vulnerability has been reported to affect QuFirewall. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: QuFirewall 2.4.1 ( 2024/02/01 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qufirewallQuFirewallqufirewall
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2013-7174
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-7.8||HIGH
EPSS-1.39% / 80.06%
||
7 Day CHG~0.00%
Published-09 Jan, 2014 | 11:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Absolute path traversal vulnerability in cgi-bin/jc.cgi in QNAP QTS before 4.1.0 allows remote attackers to read arbitrary files via a full pathname in the f parameter.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-qtsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-53594
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.02% / 4.84%
||
7 Day CHG~0.00%
Published-02 Jan, 2026 | 15:18
Updated-02 Jan, 2026 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qfinder Pro, Qsync, QVPN

A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Qfinder Pro Mac 7.13.0 and later Qsync for Mac 5.1.5 and later QVPN Device Client for Mac 2.2.8 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QVPN Device Client for MacQsync for MacQfinder Pro Mac
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2025-47211
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.08% / 23.60%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 18:10
Updated-08 Oct, 2025 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qtsquts_heroQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-33034
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 24.93%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 18:08
Updated-07 Oct, 2025 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-33036
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.2||HIGH
EPSS-0.06% / 18.70%
||
7 Day CHG+0.01%
Published-29 Aug, 2025 | 17:17
Updated-19 Sep, 2025 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-33032
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.06% / 17.26%
||
7 Day CHG~0.00%
Published-29 Aug, 2025 | 17:16
Updated-22 Sep, 2025 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-33035
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.2||HIGH
EPSS-0.07% / 21.40%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 15:52
Updated-17 Sep, 2025 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-33038
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.2||HIGH
EPSS-0.06% / 18.70%
||
7 Day CHG+0.01%
Published-29 Aug, 2025 | 17:17
Updated-19 Sep, 2025 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-33033
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.2||HIGH
EPSS-0.06% / 18.70%
||
7 Day CHG+0.01%
Published-29 Aug, 2025 | 17:16
Updated-19 Sep, 2025 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-33037
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.2||HIGH
EPSS-0.06% / 18.70%
||
7 Day CHG+0.01%
Published-29 Aug, 2025 | 17:17
Updated-19 Sep, 2025 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-30270
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 18.70%
||
7 Day CHG+0.01%
Published-29 Aug, 2025 | 17:16
Updated-02 Sep, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-30271
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 18.70%
||
7 Day CHG+0.01%
Published-29 Aug, 2025 | 17:16
Updated-02 Sep, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuTS heroQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Previous
  • 1
  • 2
  • Next
Details not found