{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22895", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2026-01-13T07:49:08.783Z", "datePublished": "2026-03-20T16:21:40.989Z", "dateUpdated": "2026-03-25T14:03:29.588Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:21:40.989Z"}, "title": "QuFTP Service", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuFTP Service", "versions": [{"status": "affected", "version": "1.4.x", "lessThan": "1.4.3", "versionType": "custom"}, {"status": "affected", "version": "1.5.x", "lessThan": "1.5.2", "versionType": "custom"}, {"status": "affected", "version": "1.6.x", "lessThan": "1.6.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.\n\nWe have already fixed the vulnerability in the following versions:\nQuFTP Service 1.4.3 and later\nQuFTP Service 1.5.2 and later\nQuFTP Service 1.6.2 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.<br><br>We have already fixed the vulnerability in the following versions:<br>QuFTP Service 1.4.3 and later<br>QuFTP Service 1.5.2 and later<br>QuFTP Service 1.6.2 and later<br>"}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-15"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U"}}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nQuFTP Service 1.4.3 and later\nQuFTP Service 1.5.2 and later\nQuFTP Service 1.6.2 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "We have already fixed the vulnerability in the following versions:<br>QuFTP Service 1.4.3 and later<br>QuFTP Service 1.5.2 and later<br>QuFTP Service 1.6.2 and later<br>"}]}], "credits": [{"lang": "en", "value": "Milan Solanki (LeoSecurity)", "type": "finder"}], "source": {"advisory": "QSA-26-15", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:03:23.314590Z", "id": "CVE-2026-22895", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:03:29.588Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:03:23.314590Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:03:26.323Z"}}], "cna": {"title": "QuFTP Service", "source": {"advisory": "QSA-26-15", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Milan Solanki (LeoSecurity)"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuFTP Service", "versions": [{"status": "affected", "version": "1.4.x", "lessThan": "1.4.3", "versionType": "custom"}, {"status": "affected", "version": "1.5.x", "lessThan": "1.5.2", "versionType": "custom"}, {"status": "affected", "version": "1.6.x", "lessThan": "1.6.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nQuFTP Service 1.4.3 and later\nQuFTP Service 1.5.2 and later\nQuFTP Service 1.6.2 and later", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QuFTP Service 1.4.3 and later<br>QuFTP Service 1.5.2 and later<br>QuFTP Service 1.6.2 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-15"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.\n\nWe have already fixed the vulnerability in the following versions:\nQuFTP Service 1.4.3 and later\nQuFTP Service 1.5.2 and later\nQuFTP Service 1.6.2 and later", "supportingMedia": [{"type": "text/html", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.<br><br>We have already fixed the vulnerability in the following versions:<br>QuFTP Service 1.4.3 and later<br>QuFTP Service 1.5.2 and later<br>QuFTP Service 1.6.2 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:21:40.989Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22895", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:03:29.588Z", "dateReserved": "2026-01-13T07:49:08.783Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2026-03-20T16:21:40.989Z", "assignerShortName": "qnap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:quftp:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AF46F9E-A99D-4560-94A4-3F39EEC8A58E", "versionEndExcluding": "1.4.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:quftp:*:*:*:*:*:*:*:*", "matchCriteriaId": "520716D2-C2AB-46A8-B05B-79067068739C", "versionEndExcluding": "1.5.2", "versionStartIncluding": "1.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:quftp:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A623683-1FE1-4E64-BFD2-081AF6954E30", "versionEndExcluding": "1.6.2", "versionStartIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.\n\nWe have already fixed the vulnerability in the following versions:\nQuFTP Service 1.4.3 and later\nQuFTP Service 1.5.2 and later\nQuFTP Service 1.6.2 and later"}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) ha sido reportada que afecta a QuFTP Service. Si un atacante remoto obtiene una cuenta de administrador, puede entonces explotar la vulnerabilidad para eludir mecanismos de seguridad o leer datos de la aplicaci\u00f3n.\n\nYa hemos corregido la vulnerabilidad en las siguientes versiones:\nQuFTP Service 1.4.3 y posteriores\nQuFTP Service 1.5.2 y posteriores\nQuFTP Service 1.6.2 y posteriores"}], "id": "CVE-2026-22895", "lastModified": "2026-04-10T20:51:58.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2026-03-20T17:16:43.980", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-26-15"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@qnapsecurity.com.tw", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.4.x,1.4.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.5.x,1.5.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.6.x,1.6.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "quftp_service", "vendor": "qnap_systems"}], "analysis": {"en": {"generated_at": "2026-04-10T22:47:35.350100+00:00", "value": {"mitigation_remediation": ["Upgrade QuFTP Service to version 1.4.3 or later, 1.5.2 or later, or 1.6.2 or later, depending on the currently running release.", "Verify that the new firmware is active and that the web interface no longer accepts reflected input.", "Monitor system logs for unusual scripting activity and ensure no unauthorized admin accounts exist."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "QNAP Systems Inc. provides the QuFTP Service. Any release prior to QuFTP Service 1.4.3, 1.5.2, or 1.6.2 is vulnerable. Users running these older versions should be aware that the issue affects the entire application exposed through the web management console.", "description_and_impact": "A cross\u2011site scripting flaw in QNAP's QuFTP Service allows a remote attacker who has acquired an administrator account to inject malicious scripts into the web interface. The injected code can read application data and potentially bypass existing security checks, creating opportunities for defacement, data theft, or credential hijacking. The weakness is identified as CWE\u201179 and is limited to scenarios where privileged credentials are present.", "risk_and_exploitability": "The CVSS score is 2.2 and the EPSS score is below 1\u202f%, indicating a low but existing risk. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have an administrator login; the likely attack vector, inferred from the nature of the flaw, is through the web interface where user\u2011controlled input is reflected in rendered pages. Given the low severity and the privileged\u2011user prerequisite, the overall threat is moderate until the patch is deployed."}}}}, "created": "2026-03-23T09:53:19.017889+00:00", "title": "Cross\u2011Site Scripting Vulnerability in QuFTP Service Allows Remote Attackers with Admin Access to Read Application Data", "updated": "2026-04-13T14:28:25.045787+00:00", "vendors": ["qnap_systems", "qnap_systems$PRODUCT$quftp_service"]}