VYPR

Vendor CVEs

Synology

All CVEs

319 total · sorted by risk
  • CVE-2024-10442Mar 19, 2025
    risk 0.01cvss epss 0.01

    Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a…

  • CVE-2021-27648Apr 28, 2021
    risk 0.01cvss epss 0.03

    Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.

  • CVE-2021-26894Mar 11, 2021
    risk 0.01cvss epss 0.07

    Windows DNS Server Remote Code Execution Vulnerability

  • CVE-2026-3483Mar 10, 2026
    risk 0.00cvss epss 0.00

    An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.

  • CVE-2025-62854Feb 11, 2026
    risk 0.00cvss epss 0.01

    An uncontrolled resource consumption vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following…

  • CVE-2025-62856Feb 11, 2026
    risk 0.00cvss epss 0.00

    A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the…

  • CVE-2025-8074Dec 4, 2025
    risk 0.00cvss epss 0.00

    Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors.

  • CVE-2025-54160Dec 4, 2025
    risk 0.00cvss epss 0.00

    Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.

  • CVE-2025-54159Dec 4, 2025
    risk 0.00cvss epss 0.00

    Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors.

  • CVE-2025-54158Dec 4, 2025
    risk 0.00cvss epss 0.00

    Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.

  • CVE-2025-2848Dec 4, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions.

  • CVE-2025-29846Dec 4, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.

  • CVE-2025-29845Dec 4, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files.

  • CVE-2025-29844Dec 4, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information.

  • CVE-2025-29843Dec 4, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files.

  • CVE-2024-5401Dec 4, 2025
    risk 0.00cvss epss 0.00

    Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to…

  • CVE-2024-45539Dec 4, 2025
    risk 0.00cvss epss 0.00

    Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.

  • CVE-2024-45538Dec 4, 2025
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

  • CVE-2025-53408Nov 7, 2025
    risk 0.00cvss epss 0.00

    A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version:…

  • CVE-2025-53413Nov 7, 2025
    risk 0.00cvss epss 0.00

    An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type…

  • CVE-2025-57706Nov 7, 2025
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the…

  • CVE-2025-29899Aug 29, 2025
    risk 0.00cvss epss 0.00

    An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type…

  • CVE-2025-29890Aug 29, 2025
    risk 0.00cvss epss 0.00

    An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type…

  • CVE-2025-29901Aug 26, 2025
    risk 0.00cvss epss 0.00

    A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version:…

  • CVE-2024-53288Jul 23, 2025
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or…

  • CVE-2024-53287Jul 23, 2025
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or…

  • CVE-2024-53286Jul 23, 2025
    risk 0.00cvss epss 0.01

    Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to execute arbitrary code…

  • CVE-2024-38648Jul 12, 2025
    risk 0.00cvss epss 0.01

    A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.

  • CVE-2025-29885Jun 6, 2025
    risk 0.00cvss epss 0.00

    An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the…

  • CVE-2025-29883Jun 6, 2025
    risk 0.00cvss epss 0.00

    An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the…

  • CVE-2025-22486Jun 6, 2025
    risk 0.00cvss epss 0.00

    An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the…

  • CVE-2025-22490Jun 6, 2025
    risk 0.00cvss epss 0.00

    A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version:…

  • CVE-2025-4679May 16, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors.

  • CVE-2025-1021Apr 23, 2025
    risk 0.00cvss epss 0.00

    Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.

  • CVE-2024-50631Mar 19, 2025
    risk 0.00cvss epss 0.25

    Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write…

  • CVE-2024-50630Mar 19, 2025
    risk 0.00cvss epss 0.23

    Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.

  • CVE-2024-50629Mar 19, 2025
    risk 0.00cvss epss 0.27

    Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to read limited files…

  • CVE-2024-10445Mar 19, 2025
    risk 0.00cvss epss 0.00

    Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to write…

  • CVE-2024-10441Mar 19, 2025
    risk 0.00cvss epss 0.01

    Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via…

  • CVE-2024-10444Mar 19, 2025
    risk 0.00cvss epss 0.00

    Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows man-in-the-middle attackers to hijack the authentication of administrators via unspecified vectors.

  • CVE-2024-47266Feb 13, 2025
    risk 0.00cvss epss 0.00

    Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in share file list functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to…

  • CVE-2024-47265Feb 13, 2025
    risk 0.00cvss epss 0.00

    Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in encrypted share umount functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users to write specific files…

  • CVE-2024-47264Feb 13, 2025
    risk 0.00cvss epss 0.01

    Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in agent-related functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to…

  • CVE-2024-7572Dec 10, 2024
    risk 0.00cvss epss 0.00

    Insufficient permissions in Ivanti DSM before version 2024.3.5740 allows a local authenticated attacker to delete arbitrary files.

  • CVE-2024-53285Dec 9, 2024
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files…

  • CVE-2024-53284Dec 9, 2024
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write…

  • CVE-2024-53283Dec 9, 2024
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Router Port Forward functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific…

  • CVE-2024-53282Dec 9, 2024
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect MAC Filter functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write…

  • CVE-2024-53281Dec 9, 2024
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to read or write specific files containing non-sensitive…

  • CVE-2024-53279Dec 9, 2024
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in file station functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files…

Page 3 of 7