A series of vulnerabilities in QNAP NAS products has prompted security warnings after researchers identified flaws that could allow attackers to execute arbitrary commands, bypass security controls, disclose sensitive information, or disrupt system operations. The issues affect several QNAP platforms, including QTS, QuTS hero, QuTS cloud, and QVP appliances.
The security advisory, identified as QSA-26-10, was released by QNAP on June 17, 2026, while a related security notice was published on June 24, 2026. The vulnerabilities were assigned an “Important” severity rating and have since been marked as resolved through updated software releases.
Affected Products from Vulnerabilities in QNAP NAS
The reported QNAP NAS vulnerabilities impact QTS 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, and QVP 2.7.1. According to the advisory, successful exploitation could lead to denial-of-service conditions, information disclosure, elevation of privileges, remote code execution, and security restriction bypass.
One of the most notable flaws, CVE-2025-59382, is a URL injection vulnerability. QNAP explained that “a remote attacker can modify the password reset URL and trick a victim into visiting an attacker-controlled password reset page, leading to credential theft.”
Command Injection and Buffer Overflow Risks
Several command injection vulnerabilities were also disclosed. CVE-2025-66273 allows an authenticated administrator to inject arbitrary system commands through a username parameter. Similar command execution issues were identified in CVE-2025-66279, involving user deletion APIs, and CVE-2026-22893, which could enable command execution with elevated privileges.
Additional vulnerabilities in QNAP NAS devices involve memory handling weaknesses. CVE-2025-62858 is a stack overflow vulnerability that may cause memory corruption and unexpected behavior when exploited by an administrator. CVE-2025-66280 and CVE-2025-68405 can result in unexpected system behavior or denial-of-service conditions.
QNAP also disclosed three stack-based buffer overflow vulnerabilities: CVE-2026-26239, CVE-2026-26240, and CVE-2026-26241. These flaws can enable unauthorized actions or cause CGI service crashes through excessively long filenames during file upload operations.
Access Control and Resource Consumption Issues
Among the other QNAP NAS vulnerabilities, CVE-2026-24724 involves broken access control that may allow authenticated users to bypass restrictions and access sensitive files. Meanwhile, CVE-2026-22899 can trigger a NULL pointer dereference in utilRequest.cgi, resulting in a denial-of-service condition.
Another issue, CVE-2026-24720, is an uncontrolled resource consumption vulnerability that could cause excessive CPU and memory usage, reducing overall system responsiveness. QNAP also warned that CVE-2025-66281, a pre-authentication NULL pointer vulnerability, can be triggered through a malformed HTTP request with a missing or empty content-length header.
Fixed Versions and Recommendations
QNAP has released patches for all affected products. The fixes are available in QVP 2.8.0, QuTS cloud C5.2.9, QTS 5.2.9.3499, and QuTS hero h5.2.9.
To mitigate risks associated with CVE-2025-59382 and other vulnerabilities in QNAP NAS systems, administrators are advised to update their devices to the latest firmware versions. QNAP recommends regularly checking for software updates and applying vendor-issued security patches to reduce exposure to newly discovered threats.
