This is a command injection through a basic GET giving instant root access. Definitely worth a high score. These days I'm pretty sure browsers won't let you put a private IP in an <img> URL anymore but for the past 10-13 years there have definitely been browsers where visiting a web page is all you needed to do to get your NAS hooked up to a botnet.
Agreed (having read up properly), hence my other reply (https://news.ycombinator.com/item?id=42252807). But a headline that succinctly and accurately explains a worst-case scenario would be much better than one that just points at a CVE score. (The submission has since been re-titled according to a less clickbaity source.)