CVE-2026-3091

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-3091
An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer.

6.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.synology.com/en-global/security/advisory/Synology_SA_26_02 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:synology:presto_client:*:*:*:*:*:*:*:*
History

04 Mar 2026, 02:21

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de elemento de ruta de búsqueda no controlado en Synology Presto Cliente antes de 2.1.3-0672 permite a usuarios locales leer o escribir archivos arbitrarios durante la instalación al colocar una DLL maliciosa de antemano en el mismo directorio que el instalador.
First Time Synology
Synology presto Client
CPE cpe:2.3:a:synology:presto_client:*:*:*:*:*:*:*:*
References () https://www.synology.com/en-global/security/advisory/Synology_SA_26_02 - () https://www.synology.com/en-global/security/advisory/Synology_SA_26_02 - Vendor Advisory

24 Feb 2026, 03:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-24 03:16

Updated : 2026-03-04 02:21

NVD link : CVE-2026-3091

Mitre link : CVE-2026-3091

CVE.ORG link : CVE-2026-3091

JSON object : View

Products Affected

synology

  • presto_client
CWE
CWE-427

Uncontrolled Search Path Element