CVE-2026-22897

CRITICAL

QuNetSwitch

Title source: cna

Description

A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later

References (1)

Core 1

Core References

https://www.qnap.com/en/security-advisory/qsa-26-11

Scores

CVSS v3 9.8

EPSS 0.0039

EPSS Percentile 60.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

qnap/qunetswitch 2.0.1.13077 - 2.0.4.0415

QNAP Systems Inc./QuNetSwitch 2.0.x - 2.0.4.0415

Published Mar 20, 2026

Tracked Since Mar 20, 2026