Taiwan-based QNAP Systems over the weekend announced patches for multiple QTS and QuTS Hero vulnerabilities demonstrated at the Pwn2Own Ireland 2024 hacking contest.At Pwn2Own, participants earned tens of thousands of dollars for QNAP product exploits, and one entry even earned white hat hackers $100,000, but it involved chaining not only QNAP but also TrueNAS device vulnerabilities. The most severe of the security holes is CVE-2024-50393 (CVSS score of 8.7), a command injection flaw that could allow remote attackers to execute arbitrary commands on vulnerable devices.Next in line is CVE-2024-48868 (CVSS score of 8.7), a Carriage Return and Line Feed (CRLF) injection bug that could be exploited to modify application data. The CRLF special elements are embedded in code such as HTTP headers to signify End of Line (EOL) markers.