SB20260216159 - Multiple vulnerabilities in QNAP File Station 5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260216159

SB20260216159 - Multiple vulnerabilities in QNAP File Station 5

Published: February 16, 2026

Security Bulletin ID SB20260216159
Severity
Medium
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 54% Low 46%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-54155)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-54161)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.


3) Path traversal (CVE-ID: CVE-2025-54162)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote administrator can send a specially crafted HTTP request and read arbitrary files on the system.


4) Path traversal (CVE-ID: CVE-2025-62853)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.


5) Path traversal (CVE-ID: CVE-2025-66278)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.


6) Path traversal (CVE-ID: CVE-2026-22894)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.


7) Path traversal (CVE-ID: CVE-2025-62855)

The vulnerability allows a local user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A local administrator can send a specially crafted HTTP request and read arbitrary files on the system.


8) Path traversal (CVE-ID: CVE-2025-62856)

The vulnerability allows a local user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A local administrator can send a specially crafted HTTP request and read arbitrary files on the system.


9) NULL pointer dereference (CVE-ID: CVE-2025-54163)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote administrator can pass specially crafted data to the application and perform a denial of service (DoS) attack.


10) Out-of-bounds read (CVE-ID: CVE-2025-54169)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.


11) Code Injection (CVE-ID: CVE-2025-57707)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper neutralization of directives in statically saved code. A remote user can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


12) Improper Authentication (CVE-ID: CVE-2025-57713)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests. A remote attacker can bypass authentication process and gain unauthorized access to sensitive information.


13) Resource exhaustion (CVE-ID: CVE-2025-62854)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References