CVE-2026-22895

Modified Modified - Updated After Analysis

Cross-Site Scripting in QuFTP Service Enables Admin Data Access

Publication date: 2026-03-20

Last updated on: 2026-06-09

Assigner: QNAP Systems, Inc.

Description

A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QuFTP Service 1.4.3 and later QuFTP Service 1.5.2 and later QuFTP Service 1.6.2 and later

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-20

Last Modified

2026-06-09

Generated

2026-06-16

AI Q&A

2026-03-20

EPSS Evaluated

2026-06-15

NVD

CVE-2026-22895

EUVD

EUVD-2026-13714

Affected Vendors & Products

Vendor	Product	Version / Range
qnap	quftp	to 1.4.3 (exc)
qnap	quftp	From 1.5.0 (inc) to 1.5.2 (exc)
qnap	quftp	From 1.6.0 (inc) to 1.6.2 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-79	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

Executive Summary

The CVE-2026-22895 vulnerability is a cross-site scripting (XSS) flaw affecting QuFTP Service versions 1.4.x, 1.5.x, and 1.6.x.

This vulnerability allows a remote attacker who has obtained an administrator account to exploit the XSS issue to bypass security mechanisms or access application data.

The vulnerability has been resolved in QuFTP Service versions 1.4.3 and later, 1.5.2 and later, and 1.6.2 and later.

Impact Analysis

If a remote attacker gains an administrator account, they can exploit this XSS vulnerability to bypass security mechanisms or read sensitive application data.

This could lead to unauthorized access to protected information and potentially compromise the security of the affected system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the CVE-2026-22895 vulnerability, you should update the QuFTP Service to a fixed version.'}, {'type': 'list_item', 'content': 'Update to QuFTP Service version 1.4.3 or later, 1.5.2 or later, or 1.6.2 or later.'}, {'type': 'list_item', 'content': 'Log into QTS or QuTS hero as an administrator.'}, {'type': 'list_item', 'content': 'Access the App Center.'}, {'type': 'list_item', 'content': 'Search for "QuFTP Service".'}, {'type': 'list_item', 'content': 'Click the Update button if it is available.'}] [1]

Hi! I’m here to help you understand CVE-2026-22895. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-22895

Cross-Site Scripting in QuFTP Service Enables Admin Data Access

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart