CVE-2026-22901 | QNAP QuNetSwitch 2.0.4.0415 os command injection (qsa-26-11)

VDB-352100 · CVE-2026-22901 · QSA-26-11 QNAP QUNETSWITCH 2.0.4.0415 OS COMMAND INJECTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 8.4 $0-$5k 1.22+ Summaryinfo A vulnerability classified as critical was found in QNAP QuNetSwitch. Affected by this issue is some unknown functionality. Such manipulation leads to os command injection. This vulnerability is referenced as CVE-2026-22901. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is advised. Detailsinfo A vulnerability, which was classified as critical, has been found in QNAP QuNetSwitch. Affected by this issue is an unknown function. The manipulation with an unknown input leads to a os command injection vulnerability. Using CWE to declare the problem leads to CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. CVE summarizes: A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later The weakness was published by 產品安全漏洞獵捕計劃 as qsa-26-11. The advisory is shared for download at qnap.com. This vulnerability is handled as CVE-2026-22901 since 01/13/2026. The exploitation is known to be easy. The attack may be launched remotely. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1202. Upgrading to version 2.0.5.0906 eliminates this vulnerability. Productinfo Vendor QNAP Name QuNetSwitch Version 2.0.4.0415 License commercial Website Vendor: https://www.qnap.com/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 8.8 VulDB Meta Temp Score: 8.4 VulDB Base Score: 8.8 VulDB Temp Score: 8.4 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Os command injection CWE: CWE-78 / CWE-77 / CWE-74 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: QuNetSwitch 2.0.5.0906 Timelineinfo 01/13/2026 CVE reserved 03/20/2026 +66 days Advisory disclosed 03/20/2026 +0 days VulDB entry created 03/20/2026 +0 days VulDB entry last update Sourcesinfo Vendor: qnap.com Advisory: qsa-26-11 Researcher: 產品安全漏洞獵捕計劃 Status: Confirmed CVE: CVE-2026-22901 (🔒) GCVE (CVE): GCVE-0-2026-22901 GCVE (VulDB): GCVE-100-352100 Entryinfo Created: 03/20/2026 17:56 Changes: 03/20/2026 17:56 (69) Complete: 🔍 Cache ID: 99:C88:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸