CVE-2024-48866

MEDIUM
Published Dec 6, 2024 Modified Sep 23, 2025 CWE-177

Description

An improper handling of URL encoding (Hex Encoding) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

CVSS v3.1 Score

5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Weakness Type (CWE)

CWE-177 CWE-177

Affected Products

Vendor Product
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap qts
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero
qnap quts_hero

References

Frequently Asked Questions

What is CVE-2024-48866? +
An improper handling of URL encoding (Hex Encoding) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later It has a CVSS v3.1 base score of 5.3 (MEDIUM).
How severe is CVE-2024-48866? +
CVE-2024-48866 has a CVSS v3.1 score of 5.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.
What products are affected by CVE-2024-48866? +
CVE-2024-48866 affects products from qnap, specifically: qts, quts_hero. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-48866? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-23983

Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules.
CVE-2026-6414 5.9

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal …
CVE-2025-11990 3.1

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that …
CVE-2024-32766 10.0

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could …
CVE-2024-32764 9.9

A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow …
CVE-2024-48863 9.8

A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-48866 — free, no signup required.

Start Free Scan