QTS, QuTS hero
CVE-2026-41539

8.7HIGH

Key Information:

Vendor: QNAP
Status: Qts; Quts Hero
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-41539?

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later

Affected Version(s)

QTS 5.2.0 < 5.2.9.3492 build 20260507

QuTS hero h5.2.0

QuTS hero h5.3.0

References

https://www.qnap.com/en/security-advisory/qsa-26-31

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41539 Data

JSON