CVE-2025-14106 | ZSPACE Q2C NAS up to 1.1.0210050 HTTP POST Request /v2/file/safe/close zfilev2_api.CloseSafe safe_dir command injection

A vulnerability classified as critical has been found in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection.

This vulnerability is uniquely identified as CVE-2025-14106. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-14106 | ZSPACE Q2C NAS up to 1.1.0210050 HTTP POST Request /v2/file/safe/close zfilev2_api.CloseSafe safe_dir command injection

Post correlati

CVE-2024-6701 | Pegasystems Pega Infinity up to 24.1.2 Case Type cross site scripting

CVE-2024-13699 | qodeinteractive Qi Addons For Elementor Plugin up to 1.8.7 on WordPress cross site scripting

CVE-2023-6637 | CAOS Plugin up to 4.7.14 on WordPress Setting authorization

CVE-2023-39611 | Software FX Chart FX 7 7.0.4962.20829 Web Request information disclosure