CVE-2026-22898

A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.qnap.com/en/security-advisory/qsa-26-07	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:qnap:qvr_pro:*:*:*:*:*:*:*:*

History

14 Apr 2026, 14:33

Type	Values Removed	Values Added
First Time		Qnap qvr Pro Qnap
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://www.qnap.com/en/security-advisory/qsa-26-07 -~~	() https://www.qnap.com/en/security-advisory/qsa-26-07 - Vendor Advisory
Summary		(es) Se ha reportado una vulnerabilidad de autenticación ausente para función crítica que afecta a QVR Pro. Los atacantes remotos pueden entonces explotar la vulnerabilidad para obtener acceso al sistema. Ya hemos corregido la vulnerabilidad en la siguiente versión: QVR Pro 2.7.4.14 y posteriores
CPE		cpe:2.3:a:qnap:qvr_pro::::::::

20 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 17:16

Updated : 2026-04-14 14:33

NVD link : CVE-2026-22898

Mitre link : CVE-2026-22898

CVE.ORG link : CVE-2026-22898

JSON object : View

Products Affected

qnap

qvr_pro

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-22898", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@qnapsecurity.com.tw", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T17:16:44.307", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-07", "tags": ["Vendor Advisory"], "source": "security@qnapsecurity.com.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@qnapsecurity.com.tw", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system.\n\nWe have already fixed the vulnerability in the following version:\nQVR Pro 2.7.4.14 and later"}, {"lang": "es", "value": "Se ha reportado una vulnerabilidad de autenticaci\u00f3n ausente para funci\u00f3n cr\u00edtica que afecta a QVR Pro. Los atacantes remotos pueden entonces explotar la vulnerabilidad para obtener acceso al sistema.\n\nYa hemos corregido la vulnerabilidad en la siguiente versi\u00f3n:\nQVR Pro 2.7.4.14 y posteriores"}], "lastModified": "2026-04-14T14:33:30.040", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qvr_pro:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73876E44-976A-4A41-8176-B28F3D39ED43", "versionEndExcluding": "2.7.4.1485", "versionStartIncluding": "2.7.1.1259"}], "operator": "OR"}]}], "sourceIdentifier": "security@qnapsecurity.com.tw"}