ZDI 2026-04-15

ZDI-26-292: QNAP TS-453E QVRPro excpostgres Exposed Dangerous Method Remote Code Execution Vulnerability

CVE-2026-22898

Machine-generated analysis · WAYSCloud LLM

The vulnerability affects QNAP TS-453E devices running QVRPro's excpostgres service and can be exploited without authentication.

Context

The affected product is the QNAP TS-453E running the QVRPro excpostgres service. The vulnerability is a remote code execution issue that can be triggered by network-adjacent attackers without authentication. The advisory notes a CVSS score of 8.8, indicating high severity according to the scoring system. Worth noting is that the vulnerability does not require user interaction or credentials to exploit.

Operator considerations

Check: Verify if QNAP TS-453E devices are running QVRPro with excpostgres enabled.

From Zero Day Initiative ↗

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of QNAP TS-453E devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2026-22898.

Read the full advisory on ZDI →