CVE-2026-22895
Modified Modified - Updated After Analysis

Cross-Site Scripting in QuFTP Service Enables Admin Data Access

Vulnerability report for CVE-2026-22895, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-20

Last updated on: 2026-06-09

Assigner: QNAP Systems, Inc.

Description

A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-20
Last Modified
2026-06-09
Generated
2026-07-06
AI Q&A
2026-03-20
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
qnap quftp to 1.4.3 (exc)
qnap quftp From 1.5.0 (inc) to 1.5.2 (exc)
qnap quftp From 1.6.0 (inc) to 1.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-22895 vulnerability is a cross-site scripting (XSS) flaw affecting QuFTP Service versions 1.4.x, 1.5.x, and 1.6.x.

This vulnerability allows a remote attacker who has obtained an administrator account to exploit the XSS issue to bypass security mechanisms or access application data.

The vulnerability has been resolved in QuFTP Service versions 1.4.3 and later, 1.5.2 and later, and 1.6.2 and later.

Impact Analysis

If a remote attacker gains an administrator account, they can exploit this XSS vulnerability to bypass security mechanisms or read sensitive application data.

This could lead to unauthorized access to protected information and potentially compromise the security of the affected system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the CVE-2026-22895 vulnerability, you should update the QuFTP Service to a fixed version.'}, {'type': 'list_item', 'content': 'Update to QuFTP Service version 1.4.3 or later, 1.5.2 or later, or 1.6.2 or later.'}, {'type': 'list_item', 'content': 'Log into QTS or QuTS hero as an administrator.'}, {'type': 'list_item', 'content': 'Access the App Center.'}, {'type': 'list_item', 'content': 'Search for "QuFTP Service".'}, {'type': 'list_item', 'content': 'Click the Update button if it is available.'}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart