Filtered by vendor Synology
Subscribe
Total
323 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-2264 | 1 Synology | 1 Diskstation Manager | 2026-04-29 | 7.8 HIGH | N/A |
| The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session. | |||||
| CVE-2013-6955 | 1 Synology | 1 Diskstation Manager | 2026-04-29 | 10.0 HIGH | N/A |
| webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. | |||||
| CVE-2013-6987 | 1 Synology | 1 Diskstation Manager | 2026-04-29 | 7.5 HIGH | N/A |
| Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/. | |||||
| CVE-2010-2453 | 1 Synology | 13 Disk Station Ds1010\+, Disk Station Ds109, Disk Station Ds110\+ and 10 more | 2026-04-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue. | |||||
| CVE-2010-3684 | 1 Synology | 13 Disk Station Ds1010\+, Disk Station Ds109, Disk Station Ds110\+ and 10 more | 2026-04-29 | 2.1 LOW | N/A |
| The FTP authentication module in Synology Disk Station 2.x logs passwords to the web application interface in cases of incorrect login attempts, which allows local users to obtain sensitive information by reading a log, a different vulnerability than CVE-2010-2453. | |||||
| CVE-2026-3091 | 1 Synology | 1 Presto Client | 2026-03-04 | N/A | 6.7 MEDIUM |
| An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer. | |||||
| CVE-2024-47264 | 1 Synology | 2 Active Backup For Business Agent, Diskstation Manager | 2026-02-26 | N/A | 4.9 MEDIUM |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in agent-related functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to delete arbitrary files via unspecified vectors. | |||||
| CVE-2024-47265 | 1 Synology | 2 Active Backup For Business Agent, Diskstation Manager | 2026-02-26 | N/A | 6.5 MEDIUM |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in encrypted share umount functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users to write specific files via unspecified vectors. | |||||
| CVE-2024-47266 | 1 Synology | 2 Active Backup For Business Agent, Diskstation Manager | 2026-02-26 | N/A | 2.7 LOW |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in share file list functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to read specific files containing non-sensitive information via unspecified vectors. | |||||
| CVE-2025-54158 | 1 Synology | 1 Beedrive | 2026-02-24 | N/A | 7.8 HIGH |
| Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | |||||
| CVE-2020-1472 | 8 Canonical, Debian, Fedoraproject and 5 more | 15 Ubuntu Linux, Debian Linux, Fedora and 12 more | 2026-02-23 | 9.3 HIGH | 5.5 MEDIUM |
| An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. | |||||
| CVE-2018-1160 | 3 Debian, Netatalk, Synology | 7 Debian Linux, Netatalk, Diskstation Manager and 4 more | 2026-02-13 | 10.0 HIGH | 9.8 CRITICAL |
| Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. | |||||
| CVE-2025-2848 | 1 Synology | 2 Diskstation Manager, Mail Server | 2026-02-09 | N/A | 6.3 MEDIUM |
| A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions. | |||||
| CVE-2025-54160 | 1 Synology | 1 Beedrive | 2026-02-04 | N/A | 7.8 HIGH |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | |||||
| CVE-2025-54159 | 1 Synology | 1 Beedrive | 2026-02-04 | N/A | 7.5 HIGH |
| Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors. | |||||
| CVE-2025-8074 | 1 Synology | 1 Beedrive | 2026-02-04 | N/A | 5.6 MEDIUM |
| Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors. | |||||
| CVE-2024-4464 | 1 Synology | 1 Media Server | 2026-01-29 | N/A | 7.5 HIGH |
| Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors. | |||||
| CVE-2024-10442 | 2 Syncology, Synology | 5 Replication Service, Diskstation Manager, Diskstation Manager Unified Controller and 2 more | 2026-01-16 | N/A | 10.0 CRITICAL |
| Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors. | |||||
| CVE-2024-11131 | 1 Synology | 6 Bc500, Bc500 Firmware, Cc400w and 3 more | 2026-01-16 | N/A | 9.8 CRITICAL |
| A vulnerability regarding out-of-bounds read is found in the video interface. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.2.0-0525 may be affected: BC500, CC400W and TC500. | |||||
| CVE-2024-50630 | 1 Synology | 1 Drive Server | 2026-01-16 | N/A | 7.5 HIGH |
| Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors. | |||||