How is CVE-2026-41539 exploited?

Network reachability (required): The attacker must reach the QNAP device over the network; the vulnerability is exposed remotely via the device's web interface. Authentication (not-required): No account or credentials are needed to deliver the malicious payload to the vulnerable application. Victim interaction (required): A logged-in user must visit or load the attacker-controlled or injected page for the script to execute in their browser, making this a social-engineering or phishing-assisted attack. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-41539?

A successful attacker reads stored session tokens and application data accessible in the victim's browser context. Injected scripts can bypass client-side security mechanisms such as same-origin checks or UI access controls enforced in the browser. Depending on application permissions, the attacker can perform actions on the QNAP device on behalf of the authenticated victim, including reading or modifying stored files and settings.

Back to search

HIGHCVE-2026-41539Published 2026-06-09Modified 2026-06-09CNA qnap

CVE-2026-41539: QTS, QuTS hero

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 5.2.9.3492 build 20260507
Affected Products: 2

HarborGuard Analysis

Synopsis

A cross-site scripting (XSS) vulnerability affects QNAP QTS and QuTS hero operating system versions. XSS means an attacker can inject malicious scripts into pages served by the device, which then execute in the browser of any user who views the affected page. Exploitation is network-based, requires no authentication, and allows a successful attacker to bypass security mechanisms and read application data including session tokens. Patched-image rebuilds at the fixed versions are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41539 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds including the QNAP advisory. Coverage extends to custom-built images derived from affected QTS or QuTS hero base layers.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS v4.0 8.7 (HIGH) and weighting that score against each environment's per-customer compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on those policy settings.

Available

Patch

Patched-image rebuilds at QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514, h5.3.4.3500 build 20260520, and h6.0.0.3500 build 20260520 are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads are provided automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the QNAP device over the network; the vulnerability is exposed remotely via the device's web interface.
AuthenticationNot required
No account or credentials are needed to deliver the malicious payload to the vulnerable application.
Victim interactionRequired
A logged-in user must visit or load the attacker-controlled or injected page for the script to execute in their browser, making this a social-engineering or phishing-assisted attack.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

Blast Radius

A successful attacker reads stored session tokens and application data accessible in the victim's browser context.
Injected scripts can bypass client-side security mechanisms such as same-origin checks or UI access controls enforced in the browser.
Depending on application permissions, the attacker can perform actions on the QNAP device on behalf of the authenticated victim, including reading or modifying stored files and settings.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-41539 is matched against all customer images within minutes of CVE publication. For environments running an affected QTS or QuTS hero version, rebuilt images at the patched versions are available immediately. For customers who opt into auto-remediation, HarborGuard will rebuild the image at the appropriate fixed version, run a regression test, and open a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review, the CVE is routed to the appropriate team inbox with the CVSS 8.7 HIGH score and per-environment policy weighting attached for fast human triage.

See how HarborGuard automates this

Fix available

5.2.9.3492 build 20260507h5.2.9.3499 build 20260514h5.3.4.3500 build 20260520h6.0.0.3500 build 20260520

Affected packages

QNAP Systems Inc. / QTS
< 5.2.9.3492 build 20260507 (from 5.2.0)
QNAP Systems Inc. / QuTS hero
< h5.2.9.3499 build 20260514 (from h5.2.0) · < h5.3.4.3500 build 20260520 (from h5.3.0) · < h6.0.0.3500 build 20260520 (from ?)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

qnap.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available