CVE-2020-36195

Name: CVE-2020-36195
Creator: NVD / NIST
Published: 2021-04-17T04:15:11.61+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 1.76%

Last modified Jun 17, 2026

CVE-2020-36195 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. EPSS estimates a 1.76% chance of exploitation in the next 30 days.

Description

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.76%

75.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Qnap	Qts	< 4.3.3
Qnap	Qts	>= 4.3.4, < 4.3.6
Qnap	Qts	4.3.3
Qnap	Qts	4.3.3.0095
Qnap	Qts	4.3.3.0096
Qnap	Qts	4.3.3.0136
Qnap	Qts	4.3.3.0154
Qnap	Qts	4.3.3.0174
Qnap	Qts	4.3.3.0188
Qnap	Qts	4.3.3.0210
Qnap	Qts	4.3.3.0229
Qnap	Qts	4.3.3.0238
Qnap	Qts	4.3.3.0262
Qnap	Qts	4.3.3.0299
Qnap	Qts	4.3.3.0351
Qnap	Qts	4.3.3.0353
Qnap	Qts	4.3.3.0361
Qnap	Qts	4.3.3.0369
Qnap	Qts	4.3.3.0378
Qnap	Qts	4.3.3.0396
Qnap	Qts	4.3.3.0404
Qnap	Qts	4.3.3.0416
Qnap	Qts	4.3.3.0418
Qnap	Qts	4.3.3.0448
Qnap	Qts	4.3.3.0514
Qnap	Qts	4.3.3.0546
Qnap	Qts	4.3.3.0570
Qnap	Qts	4.3.3.0868
Qnap	Qts	4.3.3.0998
Qnap	Qts	4.3.3.1051
Qnap	Qts	4.3.3.1098
Qnap	Qts	4.3.3.1161
Qnap	Qts	4.3.3.1252
Qnap	Qts	4.3.3.1315
Qnap	Qts	4.3.3.1386
Qnap	Qts	4.3.3.1432
Qnap	Qts	4.3.6
Qnap	Qts	4.3.6.0895
Qnap	Qts	4.3.6.0907
Qnap	Qts	4.3.6.0923
Qnap	Qts	4.3.6.0944
Qnap	Qts	4.3.6.0959
Qnap	Qts	4.3.6.0979
Qnap	Qts	4.3.6.0993
Qnap	Qts	4.3.6.1013
Qnap	Qts	4.3.6.1033
Qnap	Qts	4.3.6.1070
Qnap	Qts	4.3.6.1154
Qnap	Qts	4.3.6.1218
Qnap	Qts	4.3.6.1263

Showing 50 of 57 affected configurations. See NVD for the full list.

References

https://www.qnap.com/en/security-advisory/qsa-21-11Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-21-11Vendor Advisory

Timeline

Published: Apr 17, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-36195?

How severe is CVE-2020-36195?

CVE-2020-36195 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.76% probability of exploitation in the next 30 days.

How do I fix CVE-2020-36195?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-36195?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST