https://www.bleepingcomputer.com/news/security/qnap-fixes-bug-that-let-attackers-run-malicious-commands-remotely/

Taiwan-based network-attached storage (NAS) maker QNAP has released security patches for multiple vulnerabilities that could allow attackers to inject and execute malicious code and commands remotely on vulnerable NAS devices.

Three of the security flaws fixed today by QNAP are high severity stored cross-site scripting (XSS) vulnerabilities (tracked as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18).