— Security Alert
This QNAP File Station security update fixes a set of security flaws in the File Station 5 app — the browser-based file manager built into most QNAP NAS devices (NAS stands for Network Attached Storage, a small box that stores your files at home instead of in the cloud) — that could let a logged-in user quietly read files outside their own folders. A quick update through App Center closes these holes for good.
What This QNAP File Station Security Update Fixes
QNAP published security advisory QSA-26-03 on February 12, 2026, disclosing three “path-traversal” security flaws — bugs that let a user hop outside the folder they are supposed to see and quietly read files stored elsewhere on the device (CVE-2025-62853, CVE-2025-66278, and CVE-2026-22894). You can also see these security flaws listed on the official CVE databases such as the National Vulnerability Database (NVD). A fourth issue involves resource exhaustion, meaning a bad actor could send repeated requests to temporarily disrupt access to files on the NAS. The flaws carry a low severity rating: CVE-2025-66278, for example, scores 1.3 out of 10, because exploiting it requires a valid, already-authenticated user account on your device. No active exploitation of these flaws has been reported.
For more technical details, you can review the NVD entry for one of the QNAP File Station security flaws .
What This Means for Your Family NAS
For most families, the practical risk here is small. An attacker would first need a working login on your NAS before they could do anything — so a stranger on the internet cannot just walk in. That said, households that share a NAS among several users, or that have left remote access open without a VPN, have a slightly wider window if any one account is ever compromised. The good news: updating eliminates the risk entirely, and since the fix is free and takes less than two minutes, there is no reason to wait. If you are still deciding which NAS fits your household best, our NAS for families buying guide walks through beginner-friendly options in plain English.
What to Do Right Now
- Log in to your QNAP NAS web interface and open App Center.
- Find File Station 5 in the installed apps list and click Update — you need version 5.5.6.5190 or later.
- If prompted, restart the app (or the NAS) to finish applying the update.
- While you are there, check for any other pending app or system-software updates and install those too.
Want to Go Deeper?
If this alert made you think about broader NAS security — hardening user accounts, disabling unused services, or locking down remote access — our NAS ransomware protection checklist walks through every step in plain English. And if protecting your family photos and documents over the long term is top of mind, our photo backup encryption guide explains how to keep those memories private and safe.
Frequently Asked Questions
If File Station 5 is installed on your QNAP NAS — even if you rarely use it — it is still worth updating. Unused apps can still be targeted if they are running in the background.
Open App Center on your QNAP NAS, find File Station 5, and check the version number shown below the app name. If it reads anything lower than 5.5.6.5190, tap Update immediately.
QNAP has not reported any active attacks using these flaws, and exploiting them requires an existing login on your device. Unless you have shared your NAS password with someone you do not trust, it is very unlikely your files were affected. Updating now keeps it that way.