CVE-2026-41539

Analyzed Analyzed - Analysis Complete

Stored XSS in QNAP QTS and QuTS hero

Publication date: 2026-06-09

Last updated on: 2026-06-12

Assigner: QNAP Systems, Inc.

Description

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-12

Generated

2026-06-29

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-41539

EUVD

EUVD-2026-35350

Affected Vendors & Products

Vendor	Product	Version / Range
qnap	qts	5.2.0.2737
qnap	qts	5.2.0.2744
qnap	qts	5.2.0.2782
qnap	qts	5.2.0.2802
qnap	qts	5.2.0.2823
qnap	qts	5.2.0.2851
qnap	qts	5.2.0.2860
qnap	qts	5.2.1.2930
qnap	qts	5.2.2.2950
qnap	qts	5.2.3.3006
qnap	qts	5.2.4.3070
qnap	qts	5.2.4.3079
qnap	qts	5.2.4.3092
qnap	qts	5.2.5.3145
qnap	qts	5.2.6.3195
qnap	qts	5.2.6.3229
qnap	qts	5.2.7.3256
qnap	qts	5.2.7.3297
qnap	qts	5.2.8.3332
qnap	qts	5.2.8.3350
qnap	qts	5.2.8.3359
qnap	qts	5.2.9.3410
qnap	qts	5.2.9.3451
qnap	quts_hero	h5.2.0.2737
qnap	quts_hero	h5.2.0.2782
qnap	quts_hero	h5.2.0.2789
qnap	quts_hero	h5.2.0.2802
qnap	quts_hero	h5.2.0.2823
qnap	quts_hero	h5.2.0.2851
qnap	quts_hero	h5.2.0.2860
qnap	quts_hero	h5.2.1.2929
qnap	quts_hero	h5.2.1.2940
qnap	quts_hero	h5.2.2.2952
qnap	quts_hero	h5.2.3.3006
qnap	quts_hero	h5.2.4.3070
qnap	quts_hero	h5.2.4.3079
qnap	quts_hero	h5.2.5.3138
qnap	quts_hero	h5.2.6.3195
qnap	quts_hero	h5.3.0.3115
qnap	quts_hero	h5.3.0.3145
qnap	quts_hero	h5.3.0.3192
qnap	quts_hero	h5.3.1.3250
qnap	quts_hero	h5.3.1.3292
qnap	quts_hero	h5.2.7.3256
qnap	quts_hero	h5.2.7.3297
qnap	quts_hero	h5.2.8.3321
qnap	quts_hero	h5.2.8.3350
qnap	quts_hero	h5.2.8.3359
qnap	quts_hero	h5.2.9.3410
qnap	quts_hero	h5.2.9.3492
qnap	quts_hero	h5.3.2.3354
qnap	quts_hero	h5.3.3.3424
qnap	quts_hero	h6.0.0.3324
qnap	quts_hero	h6.0.0.3382
qnap	quts_hero	h6.0.0.3397
qnap	quts_hero	h6.0.0.3459

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-79	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

Compliance Impact

The vulnerability is a cross-site scripting (XSS) issue that allows remote attackers to bypass security mechanisms or read application data. Such unauthorized access or data exposure could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the provided information does not explicitly describe the direct effects on compliance with these standards or regulations.

Executive Summary

This vulnerability is a cross-site scripting (XSS) issue affecting several versions of the QNAP operating system. It allows remote attackers to exploit the vulnerability to bypass security mechanisms or read application data.

Impact Analysis

The impact of this vulnerability includes the potential for attackers to bypass security controls and access sensitive application data remotely. This could lead to unauthorized data exposure or manipulation.

Mitigation Strategies

To mitigate this vulnerability, you should update your QNAP operating system to the fixed versions provided by the vendor.

For QTS, update to version 5.2.9.3492 build 20260507 or later.
For QuTS hero, update to version h5.2.9.3499 build 20260514 or later.
Alternatively, update to QuTS hero h5.3.4.3500 build 20260520 or later.
Or update to QuTS hero h6.0.0.3500 build 20260520 or later.

Hi! I’m here to help you understand CVE-2026-41539. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70