CVE-2025-58465

EUVD-2025-38287
A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following versions:
Download Station 5.10.0.305 ( 2025/09/16 ) and later
Download Station 5.10.0.304 ( 2025/09/08 ) and later
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
qnapdownload_station
5.10.0.291
qnapdownload_station
5.10.0.291 ≤
𝑥
< 5.10.0.305
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.qnap.com/en/security-advisory/qsa-25-37