CVE-2025-66277 (GCVE-0-2025-66277)
Vulnerability from cvelistv5 – Published: 2026-02-11 12:15 – Updated: 2026-02-12 04:55
VLAI?
Title
QTS, QuTS hero
Summary
A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations.
We have already fixed the vulnerability in the following versions:
QTS 5.2.8.3350 build 20251216 and later
QuTS hero h5.3.2.3354 build 20251225 and later
QuTS hero h5.2.8.3350 build 20251216 and later
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
5.2.x , < 5.2.8.3350 build 20251216
(custom)
|
|||||||
|
|||||||||
Credits
coral
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T04:55:17.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.8.3350 build 20251216",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.3.2.3354 build 20251225",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
},
{
"lessThan": "h5.2.8.3350 build 20251216",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "coral"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.8.3350 build 20251216 and later\u003cbr\u003eQuTS hero h5.3.2.3354 build 20251225 and later\u003cbr\u003eQuTS hero h5.2.8.3350 build 20251216 and later\u003cbr\u003e"
}
],
"value": "A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.8.3350 build 20251216 and later\nQuTS hero h5.3.2.3354 build 20251225 and later\nQuTS hero h5.2.8.3350 build 20251216 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-132",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-132"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T12:15:43.851Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-26-05"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.8.3350 build 20251216 and later\u003cbr\u003eQuTS hero h5.3.2.3354 build 20251225 and later\u003cbr\u003eQuTS hero h5.2.8.3350 build 20251216 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.8.3350 build 20251216 and later\nQuTS hero h5.3.2.3354 build 20251225 and later\nQuTS hero h5.2.8.3350 build 20251216 and later"
}
],
"source": {
"advisory": "QSA-26-05",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-66277",
"datePublished": "2026-02-11T12:15:43.851Z",
"dateReserved": "2025-11-26T09:25:37.832Z",
"dateUpdated": "2026-02-12T04:55:17.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-66277\",\"sourceIdentifier\":\"security@qnapsecurity.com.tw\",\"published\":\"2026-02-11T13:15:58.380\",\"lastModified\":\"2026-02-12T17:01:35.340\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations.\\n\\nWe have already fixed the vulnerability in the following versions:\\nQTS 5.2.8.3350 build 20251216 and later\\nQuTS hero h5.3.2.3354 build 20251225 and later\\nQuTS hero h5.2.8.3350 build 20251216 and later\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@qnapsecurity.com.tw\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@qnapsecurity.com.tw\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.0.2737:build_20240417:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4026A4B-7AB4-48EA-971D-88DFDD3F01A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.0.2744:build_20240424:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F3F99BB-0D68-4D74-92C8-59E24F96C50D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.0.2782:build_20240601:*:*:*:*:*:*\",\"matchCriteriaId\":\"1DE63B4D-8E84-41D3-B1F3-04AE6040242B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.0.2802:build_20240620:*:*:*:*:*:*\",\"matchCriteriaId\":\"75746563-C648-4E55-9126-703F915F8B8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.0.2823:build_20240711:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF6BA027-A635-4E90-80C8-130B10AB3D23\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.0.2851:build_20240808:*:*:*:*:*:*\",\"matchCriteriaId\":\"5406F242-A215-4B07-809F-7A7CE55ACE71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.0.2860:build_20240817:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA17778E-B3B1-44DD-B4E9-5AD25A3E804C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.1.2930:build_20241025:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3FC6646-2247-4ED9-9643-CD376674E2E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.2.2950:build_20241114:*:*:*:*:*:*\",\"matchCriteriaId\":\"62170342-067D-442C-88FB-64A4BEA8AFE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.3.3006:build_20250108:*:*:*:*:*:*\",\"matchCriteriaId\":\"82464467-E1E6-47E1-BDE5-DDFA52994A47\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.4.3070:build_20250312:*:*:*:*:*:*\",\"matchCriteriaId\":\"75AE902C-0516-4341-9BF0-21D8803E091C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.4.3079:build_20250321:*:*:*:*:*:*\",\"matchCriteriaId\":\"5B005D70-8C91-48D4-B09A-9EBE2E9E5090\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.4.3092:build_20250403:*:*:*:*:*:*\",\"matchCriteriaId\":\"82FE5F89-A0E1-4D1B-A363-0A0D4141F502\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.5.3145:build_20250526:*:*:*:*:*:*\",\"matchCriteriaId\":\"B21A9EE0-88D5-42D9-BA21-D55518FCC6E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.6.3195:build_20250715:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B575CF2-21F3-4435-B6B4-61D79B34429C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.6.3229:build_20250818:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2EBD305-91E3-4BCC-835B-4878DF4DA3B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.7.3256:build_20250913:*:*:*:*:*:*\",\"matchCriteriaId\":\"554CB021-1477-4E63-8EBA-74056B4D8DA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.7.3297:build_20251024:*:*:*:*:*:*\",\"matchCriteriaId\":\"153F90E1-A54F-4B8D-AEEA-4643421AFF7F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qts:5.2.8.3332:build_20251128:*:*:*:*:*:*\",\"matchCriteriaId\":\"EBDC5E20-6EF7-41B4-AEB7-6F2181BD8B50\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.0.2737:build_20240417:*:*:*:*:*:*\",\"matchCriteriaId\":\"CDCBB36A-CB91-4BA3-A6ED-952E6A4A0481\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.0.2782:build_20240601:*:*:*:*:*:*\",\"matchCriteriaId\":\"240BCFF1-CCCB-4C07-8E2C-7F43F68407FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.0.2789:build_20240607:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3AF7276-77E0-474A-B10F-AC15BC5FCF00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.0.2802:build_20240620:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FA8C3EC-B6C0-44A8-BC91-18E3E90C63AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.0.2823:build_20240711:*:*:*:*:*:*\",\"matchCriteriaId\":\"889336D2-D9F7-4CC0-A22F-B837B5E77751\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.0.2851:build_20240808:*:*:*:*:*:*\",\"matchCriteriaId\":\"98F72EB9-0EE3-416A-B9BB-2512F5203A5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.0.2860:build_20240817:*:*:*:*:*:*\",\"matchCriteriaId\":\"9110382F-57C2-4C2E-82D1-3246C882B2C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.1.2929:build_20241025:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB92EFD7-47DD-4AAC-97BD-A2D4918FF4ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.1.2940:build_20241105:*:*:*:*:*:*\",\"matchCriteriaId\":\"78E38E23-1AD0-49E1-89FA-73DC2F496137\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.2.2952:build_20241116:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2F302B6-26CC-4044-B480-4EBDBB90797F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.3.3006:build_20250108:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF0093B6-8D38-4D1E-AD71-79299123C2B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.4.3070:build_20250312:*:*:*:*:*:*\",\"matchCriteriaId\":\"48A3CDAA-B0C6-4280-B1AC-DDD027F9D632\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.4.3079:build_20250321:*:*:*:*:*:*\",\"matchCriteriaId\":\"1807DE4F-CDF3-4E3B-ADC1-9535EF1D60FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.5.3138:build_20250519:*:*:*:*:*:*\",\"matchCriteriaId\":\"68FF7342-A0AF-4E75-9CD6-D584B450B8AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.6.3195:build_20250715:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8E84E3D-943C-4DF5-86D3-DCAC3C034B81\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.7.3256:build_20250913:*:*:*:*:*:*\",\"matchCriteriaId\":\"17720E05-1BBF-4605-A777-FA4059B3C2DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.7.3297:build_20251024:*:*:*:*:*:*\",\"matchCriteriaId\":\"39CB5F1C-9811-499D-9D32-34B40E0D475E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:quts_hero:h5.2.8.3321:build_20251117:*:*:*:*:*:*\",\"matchCriteriaId\":\"207E47AF-AADA-4A44-B0D6-3F8CE0285D46\"}]}]}],\"references\":[{\"url\":\"https://www.qnap.com/en/security-advisory/qsa-26-05\",\"source\":\"security@qnapsecurity.com.tw\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66277\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-11T16:48:58.513802Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-11T16:49:03.424Z\"}}], \"cna\": {\"title\": \"QTS, QuTS hero\", \"source\": {\"advisory\": \"QSA-26-05\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"coral\"}], \"impacts\": [{\"capecId\": \"CAPEC-132\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-132\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"QNAP Systems Inc.\", \"product\": \"QTS\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.2.x\", \"lessThan\": \"5.2.8.3350 build 20251216\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"QNAP Systems Inc.\", \"product\": \"QuTS hero\", \"versions\": [{\"status\": \"affected\", \"version\": \"h5.3.x\", \"lessThan\": \"h5.3.2.3354 build 20251225\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"h5.2.x\", \"lessThan\": \"h5.2.8.3350 build 20251216\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"We have already fixed the vulnerability in the following versions:\\nQTS 5.2.8.3350 build 20251216 and later\\nQuTS hero h5.3.2.3354 build 20251225 and later\\nQuTS hero h5.2.8.3350 build 20251216 and later\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.8.3350 build 20251216 and later\u003cbr\u003eQuTS hero h5.3.2.3354 build 20251225 and later\u003cbr\u003eQuTS hero h5.2.8.3350 build 20251216 and later\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.qnap.com/en/security-advisory/qsa-26-05\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations.\\n\\nWe have already fixed the vulnerability in the following versions:\\nQTS 5.2.8.3350 build 20251216 and later\\nQuTS hero h5.3.2.3354 build 20251225 and later\\nQuTS hero h5.2.8.3350 build 20251216 and later\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.8.3350 build 20251216 and later\u003cbr\u003eQuTS hero h5.3.2.3354 build 20251225 and later\u003cbr\u003eQuTS hero h5.2.8.3350 build 20251216 and later\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59\"}]}], \"providerMetadata\": {\"orgId\": \"2fd009eb-170a-4625-932b-17a53af1051f\", \"shortName\": \"qnap\", \"dateUpdated\": \"2026-02-11T12:15:43.851Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-66277\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-11T16:49:06.520Z\", \"dateReserved\": \"2025-11-26T09:25:37.832Z\", \"assignerOrgId\": \"2fd009eb-170a-4625-932b-17a53af1051f\", \"datePublished\": \"2026-02-11T12:15:43.851Z\", \"assignerShortName\": \"qnap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…