CVE-2026-22901

CWE-78 — OS Command Injection3 documents3 sources

Severity

6.3MEDIUM

EPSS

0.4%

top 41.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems Inc. Qunetswitch Qnap Qunetswitch

Timeline

PublishedMar 20

Description

A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5qnap_systems_inc./qunetswitch2.0.x — 2.0.5.0906

▶NVDqnap/qunetswitch2.0.1.13077 — 2.0.5.0906

🔴Vulnerability Details

GHSA

GHSA-2987-rjmh-cpp7: A command injection vulnerability has been reported to affect QuNetSwitch↗2026-03-20

▶

CVEList

QuNetSwitch↗2026-03-20

▶