VYPR

Vendor CVEs

Synology

All CVEs

319 total · sorted by risk
  • CVE-2018-8921MedJun 1, 2018
    risk 0.42cvss 6.5epss 0.01

    Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.

  • CVE-2018-8915MedMay 10, 2018
    risk 0.42cvss 6.5epss 0.01

    Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter.

  • CVE-2018-8912MedMay 9, 2018
    risk 0.42cvss 6.5epss 0.01

    Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Note in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via the commit_msg parameter.

  • CVE-2018-8911MedMay 9, 2018
    risk 0.42cvss 6.5epss 0.01

    Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.

  • CVE-2017-16770MedFeb 27, 2018
    risk 0.42cvss 6.5epss 0.02

    File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter.

  • CVE-2017-15886MedDec 28, 2017
    risk 0.42cvss 6.5epss 0.02

    Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.

  • CVE-2017-16766MedDec 22, 2017
    risk 0.42cvss 6.5epss 0.01

    An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.

  • CVE-2017-15895MedDec 8, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) before 1.1.5-6542-4 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.

  • CVE-2017-15894MedDec 8, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.

  • CVE-2017-15893MedDec 8, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology File Station before 1.1.1-0099 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.

  • CVE-2017-15891MedDec 8, 2017
    risk 0.42cvss 6.5epss 0.01

    Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors.

  • CVE-2017-12071MedSep 8, 2017
    risk 0.42cvss 6.5epss 0.01

    Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.

  • CVE-2017-11162MedSep 8, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors.

  • CVE-2017-12074MedAug 24, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZoneConf in Synology DNS Server before 2.2.1-3042 allows remote authenticated attackers to write arbitrary files via the domain_name parameter.

  • CVE-2017-11149MedAug 14, 2017
    risk 0.42cvss 6.5epss 0.02

    Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.

  • CVE-2017-11148MedAug 11, 2017
    risk 0.42cvss 6.5epss 0.01

    Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors.

  • CVE-2018-8916MedJun 8, 2018
    risk 0.41cvss 6.3epss 0.01

    Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.

  • CVE-2026-2237MedMay 27, 2026
    risk 0.40cvss 6.2epss 0.00

    A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive information.

  • CVE-2025-66593MedMay 27, 2026
    risk 0.40cvss 6.1epss 0.00

    An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.

  • CVE-2025-66592MedMay 27, 2026
    risk 0.40cvss 6.1epss 0.00

    An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.

  • CVE-2025-13593MedMay 27, 2026
    risk 0.40cvss 6.1epss 0.00

    Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.

  • CVE-2017-16771MedMar 22, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter.

  • CVE-2017-17689MedMay 16, 2018
    risk 0.39cvss 5.9epss 0.04

    The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.

  • CVE-2023-52951MedJun 3, 2026
    risk 0.38cvss 5.9epss 0.00

    A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential.

  • CVE-2025-10466MedMay 27, 2026
    risk 0.38cvss 5.9epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive…

  • CVE-2018-8927MedJun 14, 2018
    risk 0.35cvss 5.4epss 0.01

    Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.

  • CVE-2017-16767MedFeb 27, 2018
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.

  • CVE-2017-16769MedFeb 23, 2018
    risk 0.35cvss 5.3epss 0.02

    Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode.

  • CVE-2017-15892MedDec 28, 2017
    risk 0.35cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.

  • CVE-2017-12072MedDec 20, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter.

  • CVE-2017-12080MedDec 4, 2017
    risk 0.35cvss 5.3epss 0.01

    An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file.

  • CVE-2017-15888MedOct 30, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.

  • CVE-2017-9555MedAug 24, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.

  • CVE-2017-9556MedAug 11, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.

  • CVE-2015-9105MedJun 30, 2017
    risk 0.35cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos.

  • CVE-2015-9104MedJun 30, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5.1 before 5.1-2550 and 5.4 before 5.4-2857 allows remote authenticated attackers to inject arbitrary web script or HTML via the album title.

  • CVE-2015-9103MedJun 30, 2017
    risk 0.35cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.

  • CVE-2015-9102MedJun 30, 2017
    risk 0.35cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of…

  • CVE-2017-12077MedAug 28, 2017
    risk 0.32cvss 4.9epss 0.01

    Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.

  • CVE-2017-12076MedAug 28, 2017
    risk 0.32cvss 4.9epss 0.01

    Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.

  • CVE-2017-16768MedDec 27, 2017
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.

  • CVE-2017-15890MedDec 15, 2017
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.

  • CVE-2024-47273MedJun 3, 2026
    risk 0.28cvss 4.3epss 0.00

    An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users to write specific files via unspecified vectors.

  • CVE-2024-47263MedJun 3, 2026
    risk 0.27cvss 4.1epss 0.00

    An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users with administrator privileges to write specific files containing…

  • CVE-2013-6955Jan 9, 2014
    risk 0.10cvss epss 0.85

    webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD…

  • CVE-2024-10443Nov 15, 2024
    risk 0.06cvss epss 0.28

    Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute…

  • CVE-2015-6912Sep 11, 2015
    risk 0.04cvss epss 0.12

    Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi.

  • CVE-2013-6987Dec 31, 2013
    risk 0.04cvss epss 0.15

    Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2)…

  • CVE-2015-6911Sep 11, 2015
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi.

  • CVE-2012-1556Sep 12, 2014
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.

Page 2 of 7