Primary

Context

QNAP HBS 3 Hybrid Backup Sync External Control of File Name or Path Vulnerability

Vulnerability

Patched

A vulnerability allowing external control of file names or paths has been identified in QNAP HBS 3 Hybrid Backup Sync versions 26.1.x and earlier. This vulnerability can be exploited by an attacker with local network access to read or modify files and directories.

Impact

Exploitation of this vulnerability could lead to unauthorized reading or modification of files and directories on the affected system.

Remediation

Users are advised to update HBS 3 Hybrid Backup Sync to version 26.2.0.938 or later. Instructions for updating the application are available on the QNAP website.

Added: Jan 2, 2026, 4:23 PM

Updated: Jan 2, 2026, 4:51 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

1.3

exploitability

4.9

remediation

7.7

relevance

1.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

1.3

exploitability

4.9

remediation

7.7

relevance

1.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

QNAP HBS 3 Hybrid Backup Sync External Control of File Name or Path Vulnerability

Vulnerability

Impact

Remediation

Affected Products

QNAP HBS 3 Hybrid Backup Sync

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating