CVE-2025-29894 — SQL Injection in Systems INC Qsync Central

CWE-89 — SQL Injection3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 72.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems INC Qsync Central Qnap Qsync Central

Timeline

PublishedAug 29

Description

An SQL injection vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDqnap/qsync_central4.5.0.3 — 4.5.0.7

▶CVEListV5qnap_systems_inc/qsync_central4.5.x.x — 4.5.0.7 ( 2025/04/23 )

🔴Vulnerability Details

CVEList

Qsync Central↗2025-08-29

▶

GHSA

GHSA-v458-39f3-x6wh: An SQL injection vulnerability has been reported to affect Qsync Central↗2025-08-29

▶