Recently, there have been two major cybersecurity news items:
CVE-2026-32746
A vulnerability exists in certain telnetd implementations. Attackers can trigger a memory buffer overflow in the daemon process by sending specially crafted content during the connection initialization option negotiation phase, allowing them to execute arbitrary commands with system privileges.
The telnet service on QNAP NAS/QVP/TVR and other products is disabled by default. Furthermore, after verification, our systems use a different terminal service package and do not contain the vulnerable function code. Therefore, there is no need for a firmware update regarding this issue.
The Axios npm package poisoning incident is a software supply chain attack.
Malicious attackers implanted a backdoor in versions 1.14.1 and 0.30.4 of the code, which steals Node.js environment variables and sends important information from the host to external servers.
Some QNAP software projects do reference Axios. However, our development process enforces a fixed package version mechanism and locks the Software Bill of Materials (SBOM). Upon investigation, none of the currently released software contains the infected package versions.
Therefore, current QNAP products are not affected by these two issues, and there is no need to change device environments or network configurations.