Do Son 
- Product: QNAP Systems Inc. (2 products)
- Vulnerabilities: 4 flaws (CVE-2026-26236, CVE-2026-26237, CVE-2026-44083, CVE-2025-62851)
- Highest severity: 9.8 (High · CVSSv3)
- Worst impact: An authorization bypass through user-controlled key vulnerability has been reported to affect...
- Status: No confirmed exploitation yet; patches available
- Action: Update to 2.9.1, 1.9.56 now
| CVE | CVSS (CVSSv3) | Fixed in | Status |
|---|---|---|---|
| CVE-2026-44083 | 9.8 | 2.9.1 | Not exploited |
| CVE-2026-26236 | 7.5 | 2.9.1 | Not exploited |
| CVE-2026-26237 | 7.5 | 2.9.1 | Not exploited |
| CVE-2025-62851 | 4.4 | 1.9.56 | Not exploited |
TL;DR
QNAP has patched four QNAP QuMagie vulnerabilities, three of which need no login at all. Unauthenticated attackers could view private photos, AI face-recognition thumbnails, and album archives. A fourth flaw affects License Center. None has been reported as exploited in the wild.
Why it matters
QuMagie is QNAP’s photo management app for NAS devices. Many users expose it to the internet for remote access. Three of these bugs are pre-authentication, so no credentials are needed. As a result, a remote attacker could pull personal media straight off the device. Stolen photos can fuel extortion, doxxing, or identity theft. Face-recognition data is especially sensitive, since it ties images to named people. QNAP NAS devices are also a frequent target for opportunistic scans.
How the attacks work
The three QuMagie bugs all enable information disclosure. CVE-2026-26236 lets an unauthenticated user reach stored media files. CVE-2026-26237 exposes face-recognition thumbnails and folder cover images. CVE-2026-44083 opens access to media files and full album archives. The fourth issue, CVE-2025-62851, is a path traversal flaw in License Center. There, an authenticated admin can read files outside the intended directory. Together, these QNAP QuMagie vulnerabilities center on data exposure rather than code execution. All four bugs are fixed in the latest builds.
Affected versions
QuMagie 2.8.2 is fixed in 2.9.1. QuMagie 2.9.0 moves to 2.10.0. License Center 1.8.56 is patched in 2.0.42.
Patch and mitigation
Updates are ready now. Log in as administrator, open App Center, and update both QuMagie and License Center. Review the full QSA-26-35 advisory for the exact version mapping. No public proof-of-concept and no in-the-wild exploitation have been confirmed. Even so, patch quickly and avoid exposing QuMagie to the open internet. Use a VPN for remote access instead of direct exposure, and restrict the app to trusted networks where possible.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
