VYPR
Vendor

Synology

Products
68
CVEs
319
Across products
339
Status
Private

Products

68
View all 68 products →

Recent CVEs

319
View all 319 CVEs →
  • CVE-2017-14491CriOct 4, 2017
    risk 0.73cvss 9.8epss 0.85

    Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

  • CVE-2017-11151CriAug 8, 2017
    risk 0.69cvss 9.8epss 0.25

    A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action.

  • CVE-2017-11153CriAug 8, 2017
    risk 0.68cvss 9.8epss 0.19

    Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.

  • CVE-2016-10329CriMay 12, 2017
    risk 0.67cvss 9.8epss 0.40

    Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header.

  • CVE-2017-15889HigDec 4, 2017
    risk 0.66cvss 8.8epss 0.72

    Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.

  • CVE-2025-12686CriMay 27, 2026
    risk 0.64cvss 9.8epss 0.03

    Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.

  • CVE-2016-6554CriJul 13, 2018
    risk 0.64cvss 9.8epss 0.04

    Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) . A remote network attacker can gain privileged access to a vulnerable device.

  • CVE-2017-15887CriNov 7, 2017
    risk 0.64cvss 9.8epss 0.02

    An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.

  • CVE-2017-11161CriSep 8, 2017
    risk 0.64cvss 9.8epss 0.01

    Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.

  • CVE-2018-8926HigJun 8, 2018
    risk 0.57cvss 8.8epss 0.02

    Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter.

  • CVE-2018-8925HigJun 8, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6)…

  • CVE-2017-16772HigMar 22, 2018
    risk 0.57cvss 8.8epss 0.03

    Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter.

  • CVE-2016-10322HigApr 10, 2017
    risk 0.57cvss 8.8epss 0.02

    Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php.

  • CVE-2025-30028HigMay 27, 2026
    risk 0.56cvss 8.6epss 0.00

    A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.

  • CVE-2017-11155HigAug 8, 2017
    risk 0.55cvss 7.5epss 0.45

    An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors.

  • CVE-2025-13392HigMay 27, 2026
    risk 0.53cvss 8.1epss 0.01

    Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name…

  • CVE-2021-47961HigApr 10, 2026
    risk 0.53cvss 8.1epss 0.00

    A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN…

  • CVE-2017-11152HigAug 8, 2017
    risk 0.53cvss 7.5epss 0.14

    Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter.

  • CVE-2022-49042HigJun 3, 2026
    risk 0.51cvss 7.8epss 0.00

    An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute arbitrary code via unspecified vectors.

  • CVE-2022-49036HigJun 3, 2026
    risk 0.51cvss 7.8epss 0.00

    An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors.