CVE-2025-59381
4.9 MEDIUMA path traversal vulnerability has been reported to affect several QNAP operating system versions
Published: 2026-01-02 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 4.9 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-22
Affected products
| Vendor | Product |
|---|---|
| qnap | qts, quts_hero |
Description
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.2.3354 build 20251225 and later
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-26241 — A buffer overflow vulnerability has been reported to affect File Station 5 (9.1 CRITICAL)
- CVE-2026-26240 — A buffer overflow vulnerability has been reported to affect File Station 5 (9.1 CRITICAL)
- CVE-2026-26239 — A buffer overflow vulnerability has been reported to affect File Station 5 (8.1 HIGH)
- CVE-2026-26237 — A missing authorization vulnerability has been reported to affect QuMagie (7.5 HIGH)
- CVE-2026-24724 — An incorrect authorization vulnerability has been reported to affect File Station 6 (8.1 HIGH)
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)