QNAP updates QTS, QuTS and apps like QuMagic to fix various security vulnerabilities

QNAP has published two security bulletins that address various vulnerabilities in your applications and operating systems. The first fix package fixes critical flaws that allow unauthorized access to files, while the second fixes important security holes in the core firmware that would allow everything from command injections to denial of service attacks.

He bulletin QSA-26-35 focuses on critical flaws in photo management app QuMagie and in the License Center tool. QuMagie vulnerabilities (CVE-2026-26236, CVE-2026-26237, and CVE-2026-44083) allow unauthenticated, remote attackers to bypass access controls to view stored media files, access AI facial recognition thumbnails, and download entire albums. Other security improvements have also been applied in these updates.

On the other hand, the bulletin QSA-26-10 focuses on vulnerabilities in the operating systems of its NAS: QTS, QuTS hero, QuTS cloud and in QVP video surveillance systems. The bugs fixed include a vulnerability that allowed URL injection to spoof password reset pages (CVE-2025-59382), multiple command injections that allow arbitrary code execution with elevated privileges (CVE-2025-66273, CVE-2025-66279, and CVE-2026-22893), and various bugs that could lead to overflow attacks. buffers that could cause system crashes or denials of service.

Updates with security patches are now available. QNAP has confirmed the deployment of the following software versions to correct the described flaws:

• QuMagie: Fixed in versions 2.9.1 and 2.10.0.
• License Center: Fixed in version 2.0.42.
• QTS: Fixed in version 5.2.10.
• Whats hero: Fixed in version h5.2.9.
• QuTS cloud: Fixed in version c5.2.9.
• QVP (QVR Pro): Fixed in version 2.8.0.