CVE-2026-41539

N/A

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms ...

Affects 0 products across 1 vendor.

CVSS v48.7
EPSS0.2%
Percentile9th
PatchUnknown
CWE Weakness Definitions
CWE-79: Cross-Site Scripting (XSS)

Attacker injects malicious scripts into web pages viewed by other users, executing in the victim's browser context.

◆ SAGE Intelligence — CITED Relevance Research Team

A stored or reflected cross-site scripting (XSS) vulnerability affects multiple QNAP operating system versions (QTS and QuTS hero), allowing remote attackers to inject and execute malicious scripts in the context of authenticated user sessions. Attackers can leverage this to bypass security mechanisms, steal session tokens, or exfiltrate application data. In OT environments where QNAP NAS devices are used for historian data storage, backup, or file sharing, exploitation could lead to credential theft and lateral movement into sensitive ICS network segments.

Is this CVE in your environment?

BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.

Check My Environment →
Frequently Asked Questions
What is CVE-2026-41539?
A stored or reflected cross-site scripting (XSS) vulnerability affects multiple QNAP operating system versions (QTS and QuTS hero), allowing remote attackers to inject and execute malicious scripts in the context of authenticated user sessions. Attackers can leverage this to bypass security mechanisms, steal session tokens, or exfiltrate application data. In OT environments where QNAP NAS devices are used for historian data storage, backup, or file sharing, exploitation could lead to credential
Is CVE-2026-41539 actively exploited?
No confirmed active exploitation of CVE-2026-41539 as of 2026-06-24.
How do I remediate CVE-2026-41539?
Update to QTS 5.2.9.3492 build 20260507; QuTS hero h5.2.9.3499 build 20260514; QuTS hero h5.3.4.3500 build 20260520; QuTS hero h6.0.0.3500 build 20260520 or later. Patches resolve the XSS vulnerability by implementing proper input validation and output encoding in the affected QNAP web application components across QTS and QuTS hero operating system lines, preventing attackers from injecting malicious scripts that execute in authenticated user browser sessions. Advisory: https://www.qnap.com/en/security-advisory/qsa-2026-41539
What systems are affected by CVE-2026-41539?
CVE-2026-41539 affects: Qnap.
Vulnerability Details
CVE IDCVE-2026-41539
Published2026-06-09
Last Modified2026-06-09
ICS Relevance55%
Weakness (CWE)
SourceNVD
Official Description

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

Source: NIST NVD / MITRE CVE Database

Affected Products
VendorProductFixed Version
Qnap —
Remediation

Fixed Version: QTS 5.2.9.3492 build 20260507; QuTS hero h5.2.9.3499 build 20260514; QuTS hero h5.3.4.3500 build 20260520; QuTS hero h6.0.0.3500 build 20260520

Patches resolve the XSS vulnerability by implementing proper input validation and output encoding in the affected QNAP web application components across QTS and QuTS hero operating system lines, preventing attackers from injecting malicious scripts that execute in authenticated user browser sessions.

View Vendor Advisory →
Threat Intelligence
● Threat Intelligence Validated: July 2026 | Threat Age: 33 Days
CISA KEVNot in KEV catalog
Public ExploitNot confirmed
PoC CodeNot confirmed
● Virtual Patch — CITED Relevance SAGE Engine MEDIUM CONFIDENCE

Deploy a Web Application Firewall (WAF) or reverse proxy with XSS filtering rules in front of all QNAP NAS web management interfaces. Block inbound HTTP/HTTPS traffic to QNAP management ports (80, 443, 8080) from any source outside of designated administrator workstation IP ranges at the OT DMZ perimeter firewall. Additionally, apply egress filtering to prevent NAS devices from initiating outbound connections to external hosts.

No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.

Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.

Related CVEs affecting Qnap
CVE-2017-7876 10.0 This command injection vulnerability in QTS allows attackers to run arbitrary... CVE-2024-32766 10.0 An OS command injection vulnerability has been reported to affect several QNA... CVE-2024-32764 9.9 A missing authentication for critical function vulnerability has been reporte... CVE-2017-17033 9.8 A buffer overflow vulnerability in password function in QNAP QTS version 4.2.... CVE-2017-17028 9.8 A buffer overflow vulnerability in external device function in QNAP QTS versi...
View all Qnap CVEs →

ICS/OT Vulnerability Intelligence for Your Environment

BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.

Join free →