Primary

Context

QNAP QTS and QuTS hero Link Following Vulnerability Allowing Unintended File System Traversal

Vulnerability

Patched

A link following vulnerability has been identified in QNAP QTS versions 5.2.x and QuTS hero h5.2.x. This vulnerability allows remote attackers to traverse the file system, accessing unintended locations. The issue has been resolved in QTS 5.2.8.3350 build 20251216 and later, as well as QuTS hero h5.2.8.3350 build 20251216 and later.

Impact

Exploitation of this vulnerability allows for unauthorized file system traversal, potentially leading to access of sensitive files or directories.

Remediation

Users are advised to update to QTS 5.2.8.3350 build 20251216 or later, or to QuTS hero h5.2.8.3350 build 20251216 or later. Instructions for updating QTS or QuTS hero are available on the QNAP website.

Added: Feb 11, 2026, 1:19 PM

Updated: Feb 11, 2026, 5:08 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

0.6

exploitability

6.3

remediation

0.0

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

0.6

exploitability

6.3

remediation

0.0

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

QNAP QTS and QuTS hero Link Following Vulnerability Allowing Unintended File System Traversal

Vulnerability

Impact

Remediation

Affected Products

QNAP QTS

QNAP QuTS hero

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating