Quest has patched a high-severity cross-site scripting vulnerability in its NetVault Backup product that can be exploited by remote attackers to bypass authentication, according to an advisory published June 24, 2026 by the Zero Day Initiative.
Vulnerability Details
The flaw, tracked as CVE-2026-7569 with a CVSS score of 8.8, resides in the viewclient webpage of NetVault Backup. The root cause is insufficient validation of user-supplied input, which permits an attacker to inject arbitrary script content into the page.
Exploitation requires user interaction: the target must visit a malicious page or open a malicious file. Once triggered, the vulnerability can be chained with additional flaws to achieve arbitrary code execution in the context of SYSTEM, representing a significant privilege escalation risk in environments where NetVault Backup is deployed.
Attack Vector and Impact
- Attack vector: Network, no authentication required, low complexity
- User interaction: Required (victim must open a malicious page or file)
- Potential impact: High confidentiality, integrity, and availability impact
- Code execution context: SYSTEM, when chained with other vulnerabilities
Patch and Timeline
Quest was notified of the issue on October 3, 2025, and coordinated public disclosure took place on June 24, 2026, roughly eight months later. The vendor has issued a corrective update; details are available in the NetVault 14.0.2 release notes on Quest’s support portal.
Security teams running NetVault Backup should prioritize applying the available update, particularly in environments where the backup management interface is accessible from broader network segments. Credit for discovery goes to Bobby Gould of Trend Zero Day Initiative.