CVE-2026-26237
published 2026-06-10CVE-2026-26237: A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.32%
23.9th percentile
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.
We have already fixed the vulnerability in the following version:
QuMagie 2.9.0 and later
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qumagie | < 2.9.0 | 2.9.0 |
| qnap_systems_inc | qumagie | >= 2.9.0 < 2.9.1 | 2.9.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
QNAP QuMagie up to 2.8.x authorization (qsa-26-10 / EUVD-2026-35978)
vuldb·2026-06-15·CVSS 7.5
CVE-2026-26237 [HIGH] QNAP QuMagie up to 2.8.x authorization (qsa-26-10 / EUVD-2026-35978)
A vulnerability labeled as problematic has been found in QNAP QuMagie up to 2.8.x. Affected is an unknown function. Executing a manipulation can lead to missing authorization.
This vulnerability is tracked as CVE-2026-26237. The attack can be launched remotely. No exploit exists.
The affected component should be upgraded.
GHSA
A missing authorization vulnerability has been reported to affect QuMagie.
ghsa_unreviewed·2026-06-10
CVE-2026-26237 [HIGH] CWE-359 A missing authorization vulnerability has been reported to affect QuMagie.
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.
We have already fixed the vulnerability in the following version:
QuMagie 2.9.0 and later
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-10
Published