Security ID : QSA-25-37
Multiple Vulnerabilities in Download Station
Release date : November 8, 2025
CVE identifier : CVE-2025-58463 | CVE-2025-58465
Affected products: Download Station 5.10.x
Severity
Important
Status
Resolved
Summary
Multiple vulnerabilities have been reported to affect Download Station:
- CVE-2025-58463: Relative path traversal vulnerability
If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. - CVE-2025-58465: Cross-site scripting (XSS) vulnerability
If a remote attacker gains acces to a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerabilities in the following versions:
| Affected Product | Fixed Version |
| Download Station 5.10.x (for QTS 5.2.1) | Download Station 5.10.0.305 (2025/09/16) and later |
| Download Station 5.10.x (for QuTS hero h5.2.1) | Download Station 5.10.0.304 (2025/09/08) and later |
Recommendation
To fix the vulnerabilities, we recommend updating Download Station to the latest version.
Updating Download Station
- Log on to QTS or QuTS hero as an administrator.
- Open App Center and then click
.
A search box appears. - Type "Download Station" and then press ENTER.
Download Station appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Download Station is already up to date. - Click OK.
The system updates the application.
Attachment
Acknowledgements: Tim Coen
Revision History:
V1.0 (November 8, 2025) - Published
