CVE-2023-39296 HIGH

CVE-2023-39296: QTS, QuTS hero

Vendor Qnap Systems Inc.
Product QTS
Weakness CWE-1321
Published January 5, 2024
Last update June 3, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

Key dates

02Disclosure timeline

January 5, 2024 CVE published
June 3, 2025 Record updated