Security ID : QSA-26-15
Vulnerability in QuFTP Service
Release date : March 21, 2026
CVE identifier : CVE-2026-22895
Affected products: QuFTP Service 1.4.x, QuFTP Service 1.5.x, QuFTP Service 1.6.x
Severity
Moderate
Status
Resolved
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following versions:
| Affected Product | Fixed Version |
| QuFTP Service 1.4.x | QuFTP Service 1.4.3 and later |
| QuFTP Service 1.5.x | QuFTP Service 1.5.2 and later |
| QuFTP Service 1.6.x | QuFTP Service 1.6.2 and later |
Recommendation
To fix the vulnerability, we recommend updating QuFTP Service to the latest version.
Updating QuFTP Service
- Log on to QTS or QuTS hero as an administrator.
- Open App Center and then click
.
A search box appears. - Type “QuFTP Service” and then press ENTER.
QuFTP Service appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your QuFTP Service is already up to date. - Click OK.
The application is updated.
Attachment
Acknowledgements: Milan Solanki (LeoSecurity)
Revision History:
V1.0 (March 21, 2026) - Published
