QNAP Addresses 14 Vulnerabilities in NAS and Surveillance Systems

QNAP has released security advisory QSA-26-10 to address 14 vulnerabilities in its NAS and surveillance platforms, including QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances). These vulnerabilities, disclosed on April 6, 2026, are categorized as having 'Important' severity. Notable issues include CVE-2025-59382, a URL injection flaw that could lead to credential harvesting, and several command injection vulnerabilities (CVE-2025-66273, CVE-2025-66279, CVE-2026-22893) that allow arbitrary command execution. Other critical vulnerabilities involve memory safety issues, such as stack and buffer overflows (CVE-2025-62858, CVE-2026-26239, CVE-2026-26241), which can cause service crashes. QNAP has released firmware updates to mitigate these vulnerabilities, urging users to update immediately to prevent exploitation. The vulnerabilities affect versions QTS 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, and QVP 2.7.1.

Key Points: • QNAP fixed 14 vulnerabilities in its NAS and surveillance systems with advisory QSA-26-10. • Critical vulnerabilities include command injection and memory safety issues, allowing potential system compromise. • Users are urged to update to the latest firmware versions to mitigate risks of exploitation.