Filtered by vendor Synology
Subscribe
Total
314 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4464 | 1 Synology | 1 Media Server | 2026-01-29 | N/A | 7.5 HIGH |
| Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors. | |||||
| CVE-2024-10442 | 2 Syncology, Synology | 5 Replication Service, Diskstation Manager, Diskstation Manager Unified Controller and 2 more | 2026-01-16 | N/A | 10.0 CRITICAL |
| Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors. | |||||
| CVE-2024-11131 | 1 Synology | 6 Bc500, Bc500 Firmware, Cc400w and 3 more | 2026-01-16 | N/A | 9.8 CRITICAL |
| A vulnerability regarding out-of-bounds read is found in the video interface. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.2.0-0525 may be affected: BC500, CC400W and TC500. | |||||
| CVE-2024-50630 | 1 Synology | 1 Drive Server | 2026-01-16 | N/A | 7.5 HIGH |
| Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors. | |||||
| CVE-2024-50631 | 1 Synology | 1 Drive Server | 2026-01-16 | N/A | 7.5 HIGH |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors. | |||||
| CVE-2024-45538 | 1 Synology | 2 Diskstation Manager, Diskstation Manager Unified Controller | 2025-12-05 | N/A | 9.6 CRITICAL |
| Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2024-45539 | 1 Synology | 2 Diskstation Manager, Diskstation Manager Unified Controller | 2025-12-05 | N/A | 7.5 HIGH |
| Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors. | |||||
| CVE-2024-5401 | 1 Synology | 2 Diskstation Manager, Diskstation Manager Unified Controller | 2025-12-05 | N/A | 4.3 MEDIUM |
| Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors. | |||||
| CVE-2025-29843 | 1 Synology | 1 Router Manager | 2025-12-05 | N/A | 5.4 MEDIUM |
| A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files. | |||||
| CVE-2025-29844 | 1 Synology | 1 Router Manager | 2025-12-05 | N/A | 4.3 MEDIUM |
| A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information. | |||||
| CVE-2025-29845 | 1 Synology | 1 Router Manager | 2025-12-05 | N/A | 4.3 MEDIUM |
| A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files. | |||||
| CVE-2025-29846 | 1 Synology | 1 Router Manager | 2025-12-05 | N/A | 7.2 HIGH |
| A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages. | |||||
| CVE-2025-1021 | 1 Synology | 1 Diskstation Manager | 2025-11-17 | N/A | 7.5 HIGH |
| Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors. | |||||
| CVE-2024-10441 | 1 Synology | 2 Beestation Os, Diskstation Manager | 2025-11-17 | N/A | 9.8 CRITICAL |
| Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2024-10444 | 1 Synology | 1 Diskstation Manager | 2025-11-17 | N/A | 7.5 HIGH |
| Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows man-in-the-middle attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2024-10445 | 1 Synology | 2 Beestation Os, Diskstation Manager | 2025-11-17 | N/A | 4.3 MEDIUM |
| Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to write limited files via unspecified vectors. | |||||
| CVE-2024-50629 | 1 Synology | 2 Beestation Os, Diskstation Manager | 2025-11-17 | N/A | 5.3 MEDIUM |
| Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to read limited files via unspecified vectors. | |||||
| CVE-2021-3156 | 8 Beyondtrust, Debian, Fedoraproject and 5 more | 31 Privilege Management For Mac, Privilege Management For Unix\/linux, Debian Linux and 28 more | 2025-11-10 | 7.2 HIGH | 7.8 HIGH |
| Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. | |||||
| CVE-2020-1472 | 8 Canonical, Debian, Fedoraproject and 5 more | 15 Ubuntu Linux, Debian Linux, Fedora and 12 more | 2025-10-29 | 9.3 HIGH | 5.5 MEDIUM |
| An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. | |||||
| CVE-2024-10443 | 1 Synology | 4 Beephotos, Beestation Os, Diskstation Manager and 1 more | 2025-09-16 | N/A | 9.8 CRITICAL |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||