A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read the contents of unexpected files and expose sensitive data.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
                
            References
                    | Link | Resource | 
|---|---|
| https://www.qnap.com/en/security-advisory/qsa-24-43 | Vendor Advisory | 
Configurations
                    Configuration 1 (hide)
| 
 | 
Configuration 2 (hide)
| 
 | 
History
                    23 Sep 2025, 13:35
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time | Qnap Qnap quts Hero Qnap qts | |
| CVSS | v2 : v3 : | v2 : unknown v3 : 4.9 | 
| References | () https://www.qnap.com/en/security-advisory/qsa-24-43 - Vendor Advisory | |
| CPE | cpe:2.3:o:qnap:qts:5.2.0.2737:build_20240417:*:*:*:*:*:* cpe:2.3:o:qnap:qts:5.2.0.2860:build_20240817:*:*:*:*:*:* cpe:2.3:o:qnap:qts:5.2.0.2744:build_20240424:*:*:*:*:*:* cpe:2.3:o:qnap:qts:5.2.0.2851:build_20240808:*:*:*:*:*:* cpe:2.3:o:qnap:quts_hero:h5.2.0.2860:build_20240817:*:*:*:*:*:* cpe:2.3:o:qnap:quts_hero:h5.2.0.2851:build_20240808:*:*:*:*:*:* cpe:2.3:o:qnap:qts:5.2.0.2802:build_20240620:*:*:*:*:*:* cpe:2.3:o:qnap:qts:5.2.0.2823:build_20240711:*:*:*:*:*:* cpe:2.3:o:qnap:quts_hero:h5.2.0.2789:build_20240607:*:*:*:*:*:* cpe:2.3:o:qnap:quts_hero:h5.2.0.2802:build_20240620:*:*:*:*:*:* cpe:2.3:o:qnap:quts_hero:h5.2.0.2823:build_20240711:*:*:*:*:*:* cpe:2.3:o:qnap:quts_hero:h5.2.0.2782:build_20240601:*:*:*:*:*:* cpe:2.3:o:qnap:quts_hero:h5.2.0.2737:build_20240417:*:*:*:*:*:* cpe:2.3:o:qnap:qts:5.2.0.2782:build_20240601:*:*:*:*:*:* | 
Information
                Published : 2024-11-22 16:15
Updated : 2025-09-23 13:35
NVD link : CVE-2024-37046
Mitre link : CVE-2024-37046
CVE.ORG link : CVE-2024-37046
JSON object : View
Products Affected
                qnap
- qts
- quts_hero
CWE
                
                    
                        
                        CWE-22
                        
            Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
