CVE-2024-14026

HIGH

QNAP QTS/QuTS hero - Command Injection

Title source: llm

Description

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later

References (1)

[Various Sources] https://www.qnap.com/en/security-advisory/qsa-24-54

Scores

CVSS v3 7.8

EPSS 0.0002

EPSS Percentile 3.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (48)

qnap/qts 5.1.0.2348 build_20230325

qnap/qts 5.1.0.2399 build_20230515

qnap/qts 5.1.0.2418 build_20230603

qnap/qts 5.1.0.2444 build_20230629

qnap/qts 5.1.0.2466 build_20230721

qnap/qts 5.1.1.2491 build_20230815

qnap/qts 5.1.2.2533 build_20230926

qnap/qts 5.1.3.2578 build_20231110

qnap/qts 5.1.4.2596 build_20231128

qnap/qts 5.1.5.2645 build_20240116

... and 38 more

Published Mar 11, 2026

Tracked Since Mar 11, 2026