Command Injection Vulnerability in QNAP Operating Systems
CVE-2024-14026

2LOW

Key Information:

Vendor: QNAP
Status: Qts; Quts Hero
Vendor: CVE Published:; 11 March 2026

What is CVE-2024-14026?

A command injection vulnerability has been identified that impacts several versions of QNAP's operating systems. If an attacker with local network access and a valid user account exploits this vulnerability, they can execute arbitrary commands on the affected system. This poses a significant risk as it allows unauthorized actions to be performed, potentially leading to further exploitation of the system.

Affected Version(s)

QTS 5.1.x < 5.1.9.2954 build 20241120

QTS 5.2.x < 5.2.3.3006 build 20250108

QuTS hero h5.1.x

References

https://www.qnap.com/en/security-advisory/qsa-24-54

CVSS V4

Score:

Severity:

LOW

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2024-14026 Data

JSON