>> Hax Security Vulnerabilities
An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
CVSS Score
9.8
EPSS Score
0.003
Published
2025-12-16
An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
CVSS Score
9.8
EPSS Score
0.003
Published
2025-12-16
An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
CVSS Score
7.5
EPSS Score
0.003
Published
2025-12-16
An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
CVSS Score
7.5
EPSS Score
0.003
Published
2025-12-16
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
CVSS Score
7.5
EPSS Score
0.002
Published
2025-12-16
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
CVSS Score
7.5
EPSS Score
0.002
Published
2025-12-16
An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
CVSS Score
9.8
EPSS Score
0.001
Published
2025-12-16
An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
CVSS Score
9.8
EPSS Score
0.001
Published
2025-12-16
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated user with event management permissions (`isAddEvent`) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-12-16
ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-12-16
Page 1