Advisories

concise & outcome-focused

[2026-05] CVE-2026-34007: QNAP Notes Station 3: Pre-Auth Remote Code Execution

An unauthenticated X-Forwarded-For header reaches shell_exec() through a broken IP-validation helper that returns the raw input instead of its sanitized fallback. Yields code execution as www-data inside the Notes Station 3 container with no user interaction.

Full advisory →
[2026-05] CVE-2026-34008: QNAP Notes Station 3: Container Privilege Escalation and Host Escape

A www-data-writable crontab is installed by a root-owned monitor inside the container, and host home directories are bind-mounted writable with no user-namespace remapping. Chains from the pre-auth RCE to container root and then admin SSH on the NAS host.

Full advisory →
[2026-05] 0day: QNAP QmailAgent: Pre-Auth Time-Based Blind SQL Injection

An unauthenticated backup_restore handler concatenates _job_id into a SQL WHERE clause; db->escape() only handles single quotes and the value is interpolated unquoted, so the escape call is a no-op. Time-based blind extraction of contacts, IMAP and SMTP credentials, and live NAS_SID session rows.

Full advisory →

Disclosure Policy

We follow responsible disclosure practices. Vulnerabilities are reported to vendors with a 90-day disclosure timeline, extended when necessary for patch development.

For bug bounty coordination or vendor communication, contact research@runiclabs.io.