Filtered by vendor Qnap
Subscribe
Total
613 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-7174 | 1 Qnap | 1 Qts | 2026-04-29 | 7.8 HIGH | N/A |
| Absolute path traversal vulnerability in cgi-bin/jc.cgi in QNAP QTS before 4.1.0 allows remote attackers to read arbitrary files via a full pathname in the f parameter. | |||||
| CVE-2013-0142 | 1 Qnap | 3 Nas, Surveillance Station Pro, Viostor Network Video Recorder | 2026-04-29 | 5.0 MEDIUM | N/A |
| QNAP VioStor NVR devices with firmware 4.0.3, and the Surveillance Station Pro component in QNAP NAS, have a hardcoded guest account, which allows remote attackers to obtain web-server login access via unspecified vectors. | |||||
| CVE-2013-0144 | 1 Qnap | 1 Viostor Network Video Recorder | 2026-04-29 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in cgi-bin/create_user.cgi on QNAP VioStor NVR devices with firmware 4.0.3 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts via a NEW USER action. | |||||
| CVE-2013-0143 | 1 Qnap | 3 Nas, Surveillance Station Pro, Viostor Network Video Recorder | 2026-04-29 | 6.5 MEDIUM | N/A |
| cgi-bin/pingping.cgi on QNAP VioStor NVR devices with firmware 4.0.3, and in the Surveillance Station Pro component in QNAP NAS, allows remote authenticated users to execute arbitrary commands by leveraging guest access and placing shell metacharacters in the query string. | |||||
| CVE-2009-3200 | 1 Qnap | 2 Ts-239 Pro Turbo Nas, Ts-639 Pro Turbo Nas | 2026-04-23 | 5.9 MEDIUM | N/A |
| The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 create an undocumented recovery key and store it in the ENCK variable in flash memory, which allows local users to bypass the passphrase requirement and decrypt the hard drive by reading this variable, deobfuscating the key, and running a cryptsetup luksOpen command. | |||||
| CVE-2009-3278 | 1 Qnap | 4 Ts-239 Pro, Ts-239 Pro Firmware, Ts-639 Pro and 1 more | 2026-04-23 | 4.9 MEDIUM | 5.5 MEDIUM |
| The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 use the rand library function to generate a certain recovery key, which makes it easier for local users to determine this key via a brute-force attack. | |||||
| CVE-2009-3279 | 1 Qnap | 2 Ts-239 Pro Turbo Nas, Ts-639 Pro Turbo Nas | 2026-04-23 | 4.9 MEDIUM | N/A |
| The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 create a LUKS partition by using the AES-256 cipher in plain CBC mode, which allows local users to obtain sensitive information via a watermark attack. | |||||
| CVE-2014-6271 | 17 Apple, Arista, Canonical and 14 more | 85 Mac Os X, Eos, Ubuntu Linux and 82 more | 2026-04-22 | 10.0 HIGH | 9.8 CRITICAL |
| GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. | |||||
| CVE-2014-7169 | 17 Apple, Arista, Canonical and 14 more | 85 Mac Os X, Eos, Ubuntu Linux and 82 more | 2026-04-22 | 10.0 HIGH | 9.8 CRITICAL |
| GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. | |||||
| CVE-2026-22898 | 1 Qnap | 1 Qvr Pro | 2026-04-14 | N/A | 9.8 CRITICAL |
| A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later | |||||
| CVE-2025-62845 | 1 Qnap | 1 Qurouter | 2026-04-14 | N/A | 6.7 MEDIUM |
| An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later | |||||
| CVE-2025-62844 | 1 Qnap | 1 Qurouter | 2026-04-14 | N/A | 5.5 MEDIUM |
| A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | |||||
| CVE-2025-62843 | 1 Qnap | 1 Qurouter | 2026-04-14 | N/A | 6.8 MEDIUM |
| An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later | |||||
| CVE-2025-62846 | 1 Qnap | 1 Qurouter | 2026-04-14 | N/A | 6.7 MEDIUM |
| An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | |||||
| CVE-2025-59383 | 1 Qnap | 1 Media Streaming Add-on | 2026-04-14 | N/A | 9.1 CRITICAL |
| A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Media Streaming Add-on 500.1.1 and later | |||||
| CVE-2026-22895 | 1 Qnap | 1 Quftp | 2026-04-10 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later | |||||
| CVE-2026-22900 | 1 Qnap | 1 Qunetswitch | 2026-03-25 | N/A | 9.8 CRITICAL |
| A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | |||||
| CVE-2026-22897 | 1 Qnap | 1 Qunetswitch | 2026-03-25 | N/A | 9.8 CRITICAL |
| A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later | |||||
| CVE-2026-22901 | 1 Qnap | 1 Qunetswitch | 2026-03-25 | N/A | 9.8 CRITICAL |
| A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | |||||
| CVE-2026-22902 | 1 Qnap | 1 Qunetswitch | 2026-03-25 | N/A | 6.7 MEDIUM |
| A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | |||||