Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN686
_____________________________________________________________________

DATE                : 29/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QuMagie versions prior to 2.9.1,
                                           2.10.0
                     License Center versions prior to 2.0.42.
 
=====================================================================
https://www.qnap.com/en-uk/security-advisory/qsa-26-35
_____________________________________________________________________


Security ID : QSA-26-35

Vulnerabilities in QuMagie and License Center

    Release date : June 17, 2026

    CVE identifier : CVE-2026-26236, CVE-2026-26237, CVE-2026-44083

    Affected products: QuMagie 2.9.0, QuMagie2.8.2, License Center
                        1.8.56

Severity
Critical

Status
Resolved


Summary

Multiple vulnerabilities have been reported to affect QuMagie:

    CVE-2026-26236: Pre-authentication vulnerability
    An unauthenticated remote attacker may access media files stored
in QuMagie, potentially resulting in information disclosure.
     
    CVE-2026-26237: Pre-authentication vulnerability
    An unauthenticated remote attacker may access AI face recognition
thumbnails and folder cover images, potentially resulting in
information disclosure.
     
    CVE-2026-44083: Unauthorized access vulnerability
    An unauthenticated remote attacker may gain unauthorized access to
media files and album archives stored in QuMagie, potentially resulting
in information disclosure.
     
    CVE-2025-62851:Path traversal
    An authenticated administrator may access files outside the intended
directory due to a path traversal vulnerability in qlicenseRequest.cgi.
     

We have already fixed the vulnerabilities in the following version:

Affected Product 	Fixed Version

QuMagie 2.8.2           QuMagie 2.9.1
QuMagie 2.9.0           QuMagie 2.10.0
License Center 1.8.56   License Center 2.0.42


Recommendation

To secure your device, we recommend regularly updating your system to the
latest version to benefit from vulnerability fixes. You can check the
product support status to see the latest updates available to your NAS
model.

Updating QuMagie

    Log on to QTS or QuTS hero as an administrator.
    Open App Center and then click .
    A search box appears.
    Type "QuMagie" and then press ENTER.
    QuMagie appears in the search results.
    Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your QuMagie is already
         up to date.
    Click OK.
    The system updates the application.

Updating License Center

    Log on to QTS or QuTS hero as an administrator.
    Open App Center and then click .
    A search box appears.
    Type "License Center" and then press ENTER.
    License Center appears in the search results.
    Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your License Center
          is already up to date.
    Click OK.
    The system updates the application.

Attachment

    CVE-2026-26236.json
    CVE-2026-44083.json
    CVE-2026-26237.json
    CVE-2025-62851.json

Revision History:
V1.0 (June 17, 2026) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================