CVE-2026-22902 Qnap — Exploit & Vulnerability Details MEDIUM

CVE-2026-22902

MEDIUM CVSS 4.0: 5.7 EPSS 0.03%

Parameter	Value
CVSS	5.7 (MEDIUM)
Affected Versions	before 2.0.5.0906
Type	CWE-78 (OS Command Injection)
Vendor	Qnap
Public PoC	No

A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

High

Admin privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-78 OS Command Injection

Vulnerable Products 1

Configuration	From (including)	Up to (excluding)
Qnap Qunetswitch cpe:2.3:a:qnap:qunetswitch::::::::	—	`<= 2.0.5.0906`

References 1

https://www.qnap.com/en/security-advisory/qsa-26-11

security@qnapsecurity.com.tw

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-22901

Qnap

6.3

CVE-2026-22900

Qnap

6.8

CVE-2026-22897

Qnap

8.1

CVE-2026-22895

Qnap

2.2

CVE-2025-59388

Qnap

6.6

Menu

CVE-2026-22902

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

Vulnerable Products 1

References 1

Related Vulnerabilities

CVE-2026-22901

CVE-2026-22900

CVE-2026-22897

CVE-2026-22895

CVE-2025-59388

CVE Details

Editor's Choice

Menu

CVE-2026-22902

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

Vulnerable Products 1

References 1

Related Vulnerabilities

CVE-2026-22901

CVE-2026-22900

CVE-2026-22897

CVE-2026-22895

CVE-2025-59388

CVE Details

Editor's Choice

Stay informed on cybersecurity