CVE-2024-14026

CWE-78OS Command Injection3 documents3 sources
Severity
2.0LOW
EPSS
0.0%
top 96.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Qnap Systems Inc. QTSQnap Systems Inc. Quts HeroQnap QTS+1 more
Timeline
PublishedMar 11

Description

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

CVEListV5qnap_systems_inc./quts_heroh5.1.xh5.1.9.2954 build 20241120+1
NVDqnap/quts_hero25 versions+24
CVEListV5qnap_systems_inc./qts5.1.x5.1.9.2954 build 20241120+1
NVDqnap/qts23 versions+22

🔴Vulnerability Details

2
CVEList
QTS, QuTS hero2026-03-11
GHSA
GHSA-jpfg-j56h-r5vw: A command injection vulnerability has been reported to affect several QNAP operating system versions2026-03-11
CVE-2024-14026 (LOW CVSS 2) | A command injection vulnerability h | cvebase.io