anonhaven
Ad

CVE-2026-22895

LOW CVSS 4.0: 2.2 EPSS 0.08%
Updated Apr 10, 2026
Qnap
Parameter Value
CVSS 2.2 (LOW)
Affected Versions 1.5.0 — 1.6.2
Fixed In 1.4.3
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Qnap
Public PoC No

A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
High
Admin privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 3

Configuration From (including) Up to (excluding)
Qnap Quftp
cpe:2.3:a:qnap:quftp:*:*:*:*:*:*:*:*
 1.4.3
Qnap Quftp
cpe:2.3:a:qnap:quftp:*:*:*:*:*:*:*:*
 1.5.0 1.5.2
Qnap Quftp
cpe:2.3:a:qnap:quftp:*:*:*:*:*:*:*:*
 1.6.0 1.6.2

References 1

https://www.qnap.com/en/security-advisory/qsa-26-15
security@qnapsecurity.com.tw
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-22902

Qnap

5.7

CVE-2026-22901

Qnap

6.3

CVE-2026-22900

Qnap

6.8

CVE-2026-22897

Qnap

8.1

CVE-2025-59388

Qnap

6.6