QNAP QTS: CVE-2026-22899: Vulnerabilities in QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances)

Multiple vulnerabilities have been reported to affect QTS, QuTS hero, QuTS cloud and QVP (QVR Pro appliances): CVE-2025-59382: URL injection vulnerability A remote attacker can modify the password reset URL and trick a victim into visiting an attacker-controlled password reset page, leading to credential theft. CVE-2025-66273: Command injection vulnerability An authenticated administrator can inject arbitrary system commands through the username parameter, leading to command execution on the NAS. CVE-2025-66279: Command injection vulnerability in user deletion APIs An authenticated administrator can exploit this vulnerability to execute arbitrary commands on the NAS. CVE-2026-22893: Command injection vulnerability An authenticated administrator can exploit this vulnerability to execute arbitrary commands with elevated privileges. CVE-2025-62858: Stack overflow vulnerability If a remote attacker with administrator privileges exploits this vulnerability, they may cause memory corruption and unexpected system behavior. CVE-2025-66280: Stack manipulation vulnerability If an authenticated administrator exploits this vulnerability, they may cause unexpected system behavior or a denial-of-service condition. CVE-2025-68405: Stack overflow vulnerability If an authenticated administrator exploits this vulnerability, they may cause a denial-of-service condition. CVE-2026-26239: Stack-based buffer overflow If an authenticated user exploits this vulnerability, they may perform unauthorized actions. CVE-2026-26240: Stack-based buffer overflow An overly long upload filename can trigger a stack-based buffer overflow in utilRequest.cgi, resulting in a service crash. CVE-2026-26241: Stack-based buffer overflow An authenticated or unauthenticated remote attacker can supply an excessively long filename during chunked file uploads, triggering a stack-based buffer overflow and causing the affected CGI process to crash. CVE-2026-24724: Broken access control An authenticated user may bypass intended access restrictions and access sensitive files. CVE-2026-22899: NULL pointer dereference An authenticated low-privileged user can trigger a NULL pointer dereference in utilRequest.cgi, causing a segmentation fault and resulting in a denial-of-service condition. CVE-2026-24720: Uncontrolled resource consumption vulnerability An authenticated remote attacker can exploit the vulnerability to consume excessive system resources, causing high CPU and memory usage and degrading system responsiveness. CVE-2025-66281: Pre-authentication NULL pointer vulnerability A malformed HTTP request with a missing or empty content-length header can trigger a NULL pointer dereference, resulting in a denial-of-service condition. We have already fixed the vulnerabilities in the following version: