Cross-Site Scripting Flaw in Notification Center by QNAP
CVE-2025-54167

7.2HIGH

Key Information:

Vendor: QNAP
Status: Notification Center
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-54167?

A cross-site scripting vulnerability exists in QNAP's Notification Center, enabling remote attackers with administrator privileges to inject malicious scripts. This vulnerability allows attackers to potentially bypass security mechanisms and access sensitive application data, posing a significant risk if not addressed. Users are advised to update to the latest versions of Notification Center to mitigate this risk.

Affected Version(s)

Notification Center 2.1.x < 2.1.0.3443

Notification Center 1.9.x < 1.9.2.3163

Notification Center 3.0.x < 3.0.0.3466

References

https://www.qnap.com/en/security-advisory/qsa-25-40

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Jul 17, 2025

Credit

Mohammad Abdullah - Infosec Researcher & Bugbounty hunter

JSON