vulnerability
QNAP QTS: CVE-2021-28806: DOM-Based XSS Vulnerability in QTS and QuTS hero
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:M/Au:S/C:N/I:P/A:N) | Jun 3, 2021 | Aug 4, 2025 | Mar 25, 2026 |
Severity
3
CVSS
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Published
Jun 3, 2021
Added
Aug 4, 2025
Modified
Mar 25, 2026
Description
A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.3.1652 Build 20210428 and later QuTS hero h4.5.2.1638 Build 20210414 and later QuTScloud c4.5.5.1656 Build 20210503 and later QNAP NAS running QTS 4.3.6 and QTS 4.3.3 are not affected.
Solution
qnap-qts-upgrade-latest
References
- CWE-79
- CVE-2021-28806
- https://attackerkb.com/topics/CVE-2021-28806
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28806
- https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-28806
- https://www.qnap.com/en-uk/security-advisory/QSA-21-22
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-15462
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.