CVE-2026-41539 HIGH

CVE-2026-41539: QTS, QuTS hero

Vendor Qnap Systems Inc.
Product QTS
Weakness CWE-79 · XSS
Published June 9, 2026
Last update June 9, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-25592 WordPress Broken Link Checker plugin <= 2.2.3 - Cross Site Scripting (XSS) vulnerability CVE-2024-11938 One Click Upsell Funnel for WooCommerce <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via wps_wocuf_pro_yes Shortcode CVE-2026-33295 AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php CVE-2022-41980 WordPress Mantenimiento web plugin <= 0.13 - Auth. Cross-Site Scripting (XSS) vulnerability CVE-2025-8337 code-projects Simple Car Rental System add_vehicles.php cross site scripting