Searching...
Please wait while we search the database
| CVE ID | Severity | Description | Published | Actions |
|---|---|---|---|---|
|
CVE-2026-48906
|
CRITICAL |
The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
|
27 May 2026
|
|
|
CVE-2026-48968
|
MEDIUM |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS.
This issue affects Master Slider: from n/a through 3.10.8.
|
27 May 2026
|
|
|
CVE-2026-48877
|
MEDIUM |
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data.
This issue affects GenerateBlocks: from n/a through 2.1.0.
|
27 May 2026
|
|
|
CVE-2026-2237
|
MEDIUM |
A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive information.
|
27 May 2026
|
|
|
CVE-2025-66593
|
MEDIUM |
An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.
|
27 May 2026
|
|
|
CVE-2025-66592
|
MEDIUM |
An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.
|
27 May 2026
|
|
|
CVE-2025-30028
|
HIGH |
A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.
|
27 May 2026
|
|
|
CVE-2025-52747
|
HIGH |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS.
This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2.
|
27 May 2026
|
|
|
CVE-2025-14713
|
HIGH |
An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server.
|
27 May 2026
|
|
|
CVE-2025-13593
|
MEDIUM |
Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.
|
27 May 2026
|
|
|
CVE-2025-12686
|
CRITICAL |
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2025-13392
|
HIGH |
Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).
|
27 May 2026
|
|
|
CVE-2025-22741
|
HIGH |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS.
This issue affects Felan Framework: from n/a through 1.1.3.
|
27 May 2026
|
|
|
CVE-2025-13167
|
MEDIUM |
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2025-10466
|
MEDIUM |
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.
|
27 May 2026
|
|
|
CVE-2024-47272
|
LOW |
Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2024-47271
|
MEDIUM |
Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2024-47270
|
LOW |
Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2024-47269
|
MEDIUM |
Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2024-47268
|
MEDIUM |
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2024-47267
|
LOW |
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2024-11399
|
MEDIUM |
Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2023-52945
|
HIGH |
Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors.
|
27 May 2026
|
|
|
CVE-2026-49002
|
CRITICAL |
Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.
|
27 May 2026
|
|
|
CVE-2026-40852
|
HIGH |
A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability.
|
27 May 2026
|
CVE-2026-48906
CRITICAL
27 May 2026
The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
CVE-2026-48968
MEDIUM
27 May 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS.
This issue affects Master Slider: from n/a through 3.10.8.
CVE-2026-48877
MEDIUM
27 May 2026
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data.
This issue affects GenerateBlocks: from n/a through 2.1.0.
CVE-2026-2237
MEDIUM
27 May 2026
A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive information.
CVE-2025-66593
MEDIUM
27 May 2026
An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.
CVE-2025-66592
MEDIUM
27 May 2026
An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.
CVE-2025-30028
HIGH
27 May 2026
A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.
CVE-2025-52747
HIGH
27 May 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS.
This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2.
CVE-2025-14713
HIGH
27 May 2026
An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server.
CVE-2025-13593
MEDIUM
27 May 2026
Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.
CVE-2025-12686
CRITICAL
27 May 2026
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2025-13392
HIGH
27 May 2026
Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).
CVE-2025-22741
HIGH
27 May 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS.
This issue affects Felan Framework: from n/a through 1.1.3.
CVE-2025-13167
MEDIUM
27 May 2026
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors.
CVE-2025-10466
MEDIUM
27 May 2026
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.
CVE-2024-47272
LOW
27 May 2026
Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors.
CVE-2024-47271
MEDIUM
27 May 2026
Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
CVE-2024-47270
LOW
27 May 2026
Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors.
CVE-2024-47269
MEDIUM
27 May 2026
Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
CVE-2024-47268
MEDIUM
27 May 2026
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
CVE-2024-47267
LOW
27 May 2026
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors.
CVE-2024-11399
MEDIUM
27 May 2026
Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks via unspecified vectors.
CVE-2023-52945
HIGH
27 May 2026
Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors.
CVE-2026-49002
CRITICAL
27 May 2026
Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.
CVE-2026-40852
HIGH
27 May 2026
A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability.
Page 104 of 400
Page 104 of 400