CVE-2024-48867

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.

We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

Published: Dec 6, 2024
Updated: Nov 16, 2025
CVE: CVE-2024-48867
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-93

Affected Software
References

Software	From	Fixed in
qnap / qts	5.1.0.2348-build_20230325	5.1.0.2348-build_20230325.x
qnap / qts	5.1.0.2399-build_20230515	5.1.0.2399-build_20230515.x
qnap / qts	5.1.0.2418-build_20230603	5.1.0.2418-build_20230603.x
qnap / qts	5.1.0.2444-build_20230629	5.1.0.2444-build_20230629.x
qnap / qts	5.1.0.2466-build_20230721	5.1.0.2466-build_20230721.x
qnap / qts	5.1.1.2491-build_20230815	5.1.1.2491-build_20230815.x
qnap / qts	5.1.2.2533-build_20230926	5.1.2.2533-build_20230926.x
qnap / qts	5.1.3.2578-build_20231110	5.1.3.2578-build_20231110.x
qnap / qts	5.1.4.2596-build_20231128	5.1.4.2596-build_20231128.x
qnap / qts	5.1.5.2645-build_20240116	5.1.5.2645-build_20240116.x
qnap / qts	5.1.5.2679-build_20240219	5.1.5.2679-build_20240219.x
qnap / qts	5.1.6.2722-build_20240402	5.1.6.2722-build_20240402.x
qnap / qts	5.1.7.2770-build_20240520	5.1.7.2770-build_20240520.x
qnap / qts	5.1.8.2823-build_20240712	5.1.8.2823-build_20240712.x
qnap / qts	5.2.0.2737-build_20240417	5.2.0.2737-build_20240417.x
qnap / qts	5.2.0.2744-build_20240424	5.2.0.2744-build_20240424.x
qnap / qts	5.2.0.2782-build_20240601	5.2.0.2782-build_20240601.x
qnap / qts	5.2.0.2802-build_20240620	5.2.0.2802-build_20240620.x
qnap / qts	5.2.0.2823-build_20240711	5.2.0.2823-build_20240711.x
qnap / qts	5.2.0.2851-build_20240808	5.2.0.2851-build_20240808.x
qnap / qts	5.2.0.2860-build_20240817	5.2.0.2860-build_20240817.x
qnap / qts	5.2.1.2930-build_20241025	5.2.1.2930-build_20241025.x
qnap / quts_hero	h5.1.0.2409-build_20230525	h5.1.0.2409-build_20230525.x
qnap / quts_hero	h5.1.0.2424-build_20230609	h5.1.0.2424-build_20230609.x
qnap / quts_hero	h5.1.0.2453-build_20230708	h5.1.0.2453-build_20230708.x
qnap / quts_hero	h5.1.0.2466-build_20230721	h5.1.0.2466-build_20230721.x
qnap / quts_hero	h5.1.1.2488-build_20230812	h5.1.1.2488-build_20230812.x
qnap / quts_hero	h5.1.2.2534-build_20230927	h5.1.2.2534-build_20230927.x
qnap / quts_hero	h5.1.3.2578-build_20231110	h5.1.3.2578-build_20231110.x
qnap / quts_hero	h5.1.4.2596-build_20231128	h5.1.4.2596-build_20231128.x
qnap / quts_hero	h5.1.5.2647-build_20240118	h5.1.5.2647-build_20240118.x
qnap / quts_hero	h5.1.5.2680-build_20240220	h5.1.5.2680-build_20240220.x
qnap / quts_hero	h5.1.6.2734-build_20240414	h5.1.6.2734-build_20240414.x
qnap / quts_hero	h5.1.7.2770-build_20240520	h5.1.7.2770-build_20240520.x
qnap / quts_hero	h5.1.7.2788-build_20240607	h5.1.7.2788-build_20240607.x
qnap / quts_hero	h5.1.7.2794-build_20240613	h5.1.7.2794-build_20240613.x
qnap / quts_hero	h5.1.8.2823-build_20240712	h5.1.8.2823-build_20240712.x
qnap / quts_hero	h5.2.0.2737-build_20240417	h5.2.0.2737-build_20240417.x
qnap / quts_hero	h5.2.0.2782-build_20240601	h5.2.0.2782-build_20240601.x
qnap / quts_hero	h5.2.0.2789-build_20240607	h5.2.0.2789-build_20240607.x
qnap / quts_hero	h5.2.0.2802-build_20240620	h5.2.0.2802-build_20240620.x
qnap / quts_hero	h5.2.0.2823-build_20240711	h5.2.0.2823-build_20240711.x
qnap / quts_hero	h5.2.0.2851-build_20240808	h5.2.0.2851-build_20240808.x
qnap / quts_hero	h5.2.0.2860-build_20240817	h5.2.0.2860-build_20240817.x
qnap / quts_hero	h5.2.1.2929-build_20241025	h5.2.1.2929-build_20241025.x
qnap / quts_hero	h5.2.1.2940-build_20241105	h5.2.1.2940-build_20241105.x

https://www.qnap.com/en/security-advisory/qsa-24-49

Vulnerability Database

308,820

CVE-2024-48867

Deep Security Visibility Without the Complexity