CVE-2024-14026
Received Received - Intake
Command Injection in QNAP OS Allows Arbitrary Command Execution

Publication date: 2026-03-11

Last updated on: 2026-03-12

Assigner: QNAP Systems, Inc.

Description
A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2024-14026
EUVD
EUVD-2024-55475
Affected Vendors & Products
Showing 48 associated CPEs
Vendor Product Version / Range
qnap qts 5.1.0.2348
qnap qts 5.1.0.2418
qnap qts 5.1.0.2399
qnap qts 5.1.0.2466
qnap qts 5.1.1.2491
qnap qts 5.1.0.2444
qnap qts 5.1.3.2578
qnap qts 5.1.2.2533
qnap qts 5.1.4.2596
qnap qts 5.1.5.2645
qnap qts 5.1.5.2679
qnap qts 5.1.6.2722
qnap qts 5.1.7.2770
qnap qts 5.1.8.2823
qnap qts 5.2.0.2737
qnap qts 5.2.0.2744
qnap qts 5.2.0.2782
qnap qts 5.2.0.2802
qnap qts 5.2.0.2823
qnap qts 5.2.0.2851
qnap qts 5.2.0.2860
qnap qts 5.2.1.2930
qnap qts 5.2.2.2950
qnap quts_hero h5.1.0.2409
qnap quts_hero h5.1.1.2488
qnap quts_hero h5.1.0.2466
qnap quts_hero h5.1.0.2453
qnap quts_hero h5.1.0.2424
qnap quts_hero h5.1.3.2578
qnap quts_hero h5.1.2.2534
qnap quts_hero h5.1.5.2647
qnap quts_hero h5.1.4.2596
qnap quts_hero h5.1.5.2680
qnap quts_hero h5.1.6.2734
qnap quts_hero h5.1.7.2770
qnap quts_hero h5.1.7.2788
qnap quts_hero h5.1.7.2794
qnap quts_hero h5.1.8.2823
qnap quts_hero h5.2.0.2737
qnap quts_hero h5.2.0.2782
qnap quts_hero h5.2.0.2789
qnap quts_hero h5.2.0.2802
qnap quts_hero h5.2.0.2823
qnap quts_hero h5.2.0.2851
qnap quts_hero h5.2.0.2860
qnap quts_hero h5.2.1.2929
qnap quts_hero h5.2.1.2940
qnap quts_hero h5.2.2.2952
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw affecting several versions of the QNAP operating system. It allows an attacker who has local network access and a user account on the system to execute arbitrary commands on the device.

Impact Analysis

If exploited, this vulnerability can allow an attacker to run arbitrary commands on the affected QNAP device. This could lead to unauthorized control over the system, potentially compromising data, disrupting services, or further escalating privileges.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update your QNAP operating system to one of the fixed versions listed below:

  • QTS 5.1.9.2954 build 20241120 and later
  • QTS 5.2.3.3006 build 20250108 and later
  • QuTS hero h5.1.9.2954 build 20241120 and later
  • QuTS hero h5.2.3.3006 build 20250108 and later

These updates fix the command injection vulnerability that could be exploited by an attacker with local network access and a user account.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-14026. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart