Synology Synology Synology's mission is to manage and protect the world’s data

  1. Vendors
  2. Synology

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Synology product.

RSS Feeds for Synology security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Synology products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Synology Sorted by Most Security Vulnerabilities since 2018

Synology Diskstation Manager93 vulnerabilities

Synology Router Manager54 vulnerabilities

Synology Skynas16 vulnerabilities

Synology Photo Station16 vulnerabilities

Synology Calendar10 vulnerabilities

Synology Download Station7 vulnerabilities

Synology Media Server6 vulnerabilities

Synology Drive Server6 vulnerabilities

Synology Drive Client6 vulnerabilities

Synology Active Backup Business Agent4 vulnerabilities

Synology Virtual Diskstation Manager3 vulnerabilities

Synology Usb Copy1 vulnerability

Synology Sso Server1 vulnerability

Synology Photos1 vulnerability

Synology Active Backup Microsoft 3651 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Synology. Last year, in 2025 Synology had 24 security vulnerabilities published. Right now, Synology is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 24 6.47
2024 29 6.05
2023 11 7.67
2022 35 7.78
2021 35 7.87
2020 22 7.35
2019 37 6.56
2018 29 6.74

It may take a day or so for new Synology vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Synology Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-8074 Dec 04, 2025
BeeDrive Desktop <1.4.3: Local User Arbitrary File Write via Origin Validation Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors.
CVE-2025-54160 Dec 04, 2025
Synology BeeDrive <1.4.2-13960 Path Traversal allows local code execution Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.
CVE-2025-54159 Dec 04, 2025
BeeDrive Desktop <1.4.2-13960: Missing Auth Allows Remote File Delete Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors.
CVE-2025-54158 Dec 04, 2025
Missing Auth in Synology BeeDrive Desktop <1.4.2-13960 allows local code exec Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.
CVE-2025-2848 Dec 04, 2025
Synology Mail Server Auth Auth Lets Adversary Edit Config (CVE-2025-2848) A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions.
CVE-2025-29846 Dec 04, 2025
Portenable CGI Remote Authenticated Package Status Disclosure A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.
Router Manager
CVE-2025-29845 Dec 04, 2025
VideoPlayer2 Subtitle CGI Authenticated File Disclosure A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files.
Router Manager
CVE-2025-29844 Dec 04, 2025
Synology FileStation Cgi: Remote Authenticated Path & Metadata Disclosure A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information.
Router Manager
CVE-2025-29843 Dec 04, 2025
Synology FileStation CGI R/W Access via thumb (CVE-2025-29843) A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files.
Router Manager
CVE-2024-5401 Dec 04, 2025
Synology DSM WebAPI CVE-2024-5401: Improper Code Resource Control pre-7.1.1-42962-8, pre-7.2.1-69057 Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.
Diskstation Manager
CVE-2024-45539 Dec 04, 2025
Out-of-bound write in Synology DSM CGI before 7.2.1 (DoS) Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.
Diskstation Manager
CVE-2024-45538 Dec 04, 2025
Synology DSM WebAPI CSRF CVE-2024-45538 (before 7.2.1/7.2.2) Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.
Diskstation Manager
CVE-2025-58463 Nov 07, 2025
Path Traversal in Synology Download Station 5.10.0.304+ A relative path traversal vulnerability has been reported to affect Download Station. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later
Download Station
CVE-2025-58465 Nov 07, 2025
XSS in Download Station v<5.10.0.304> - remote account bypass A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later
Download Station
CVE-2024-53286 Jul 23, 2025
Synology Router Manager DDNS RCE before 1.3.1-9346-11 Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to execute arbitrary code via unspecified vectors.
Router Manager
CVE-2024-53287 Jul 23, 2025
Synology Router Manager SRM <1.3.1-9346-11 XSS in VPN Settings Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
Router Manager
CVE-2024-53288 Jul 23, 2025
Synology Router Manager Prior to 1.3.1-9346-11 XSS via NTP Region Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
Router Manager
CVE-2025-4679 May 16, 2025
Synology Active Backup for M365 Remote Authenticated Info Disclosure A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors.
Active Backup Microsoft 365
CVE-2024-50630 Mar 19, 2025
Synology Drive Server webapi missing auth pre-3.5.1 Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.
Drive Server
CVE-2024-50631 Mar 19, 2025
Synology Drive Server <3.0.4-12699 SQLi in sync daemon (SQL Injection) Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors.
Drive Server
CVE-2024-10441 Mar 19, 2025
Synology DSM 7.2 RCE via sysplugin Daemon XSS Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors.
Diskstation Manager
CVE-2024-10444 Mar 19, 2025
Impr Cert Validation in DSM LDAP (v<7.2) – MITM Auth Hijack Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows man-in-the-middle attackers to hijack the authentication of administrators via unspecified vectors.
Diskstation Manager
CVE-2024-10445 Mar 19, 2025
Unvalidated Cert Allows Rmt Write in Synology BeeStation & DSM <1.1/6.2.4 Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to write limited files via unspecified vectors.
Diskstation Manager
CVE-2024-47265 Feb 13, 2025
Path Traversal via Unmount in Synology AB 2.7.1-13234/23234/3234 Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in encrypted share umount functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users to write specific files via unspecified vectors.
CVE-2024-4464 Dec 18, 2024
Synology Media Server before 1.4, 2.0.5, 2.2.0: Auth Bypass (CVE-2024-4464) Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors.
Media Server
CVE-2024-53280 Dec 09, 2024
Synology Router Manager (SRM) Cross-Site Scripting Vulnerability in Policy Route Functionality Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in network center policy route functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.
Router Manager
CVE-2024-53279 Dec 09, 2024
Synology Router Manager (SRM) File Station XSS Vulnerability Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in file station functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.
Router Manager
CVE-2024-53281 Dec 09, 2024
Synology SRM: Cross-Site Scripting (XSS) Vulnerability in Network WOL Functionality Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.
Router Manager
CVE-2024-53282 Dec 09, 2024
Synology SRM: Cross-Site Scripting (XSS) Vulnerability in WiFi Connect MAC Filter Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect MAC Filter functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.
Router Manager
CVE-2024-53283 Dec 09, 2024
Synology SRM Router Port Forward XSS Vulnerability Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Router Port Forward functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.
Router Manager
CVE-2024-53284 Dec 09, 2024
Synology SRM WiFi Connect Setting XSS Vulnerability Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.
Router Manager
CVE-2024-53285 Dec 09, 2024
Synology SRM DDNS Record XSS Vulnerability Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.
Router Manager
CVE-2024-11398 Dec 04, 2024
Synology SRM Path Traversal Vulnerability in OTP Reset Functionality Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors.
Router Manager
CVE-2024-32767 Nov 22, 2024
XSS in Synology Photo Station 6.4.3: Remote User-Aware Injection A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow remote attackers who have gained user access to inject malicious code. We have already fixed the vulnerability in the following version: Photo Station 6.4.3 ( 2024/07/12 ) and later
Photo Station
CVE-2024-32768 Nov 22, 2024
Photo Station XSS <6.4.3 (fixed 6.4.3) A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow remote attackers who have gained user access to inject malicious code. We have already fixed the vulnerability in the following version: Photo Station 6.4.3 ( 2024/07/12 ) and later
Photo Station
CVE-2024-32769 Nov 22, 2024
XSS in Photo Station <6.4.3 via User Access Fixed in 6.4.3 A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow remote attackers who have gained user access to inject malicious code. We have already fixed the vulnerability in the following version: Photo Station 6.4.3 ( 2024/07/12 ) and later
Photo Station
CVE-2024-10443 Nov 15, 2024
OS Cmd Inject in Synology BeePhotos/Photos TM (v<1.1.0-10053/1.7.0-0795) Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
Photos
Photo Station
CVE-2022-49041 Sep 26, 2024
Synology Drive Client 3.4.0-15721 Buffer Overflow in Bk Task Mgmt Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in backup task management functionality in Synology Drive Client before 3.4.0-15721 allows local users with administrator privileges to crash the client via unspecified vectors.
Drive Client
CVE-2022-49040 Sep 26, 2024
Synology Drive Client 3.4.0-15721 BufOverflow Crash via Conn Mgmt Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in connection management functionality in Synology Drive Client before 3.4.0-15721 allows local users with administrator privileges to crash the client via unspecified vectors.
Drive Client
CVE-2022-49039 Sep 26, 2024
Synology Drive Client <3.4.0-15721 OOB Write Allows Local Admin Cmd Exec Out-of-bounds write vulnerability in backup task management functionality in Synology Drive Client before 3.4.0-15721 allows local users with administrator privileges to execute arbitrary commands via unspecified vectors.
Drive Client
CVE-2022-49038 Sep 26, 2024
Synology Drive Client <3.3.0-15082: Untrusted OpenSSL DLL Exec Vulnerability Inclusion of functionality from untrusted control sphere vulnerability in OpenSSL DLL component in Synology Drive Client before 3.3.0-15082 allows local users to execute arbitrary code via unspecified vectors.
Drive Client
CVE-2022-49037 Sep 26, 2024
Sensitive Log Leak via Proxy Settings in Synology Drive Client <3.3.0 Insertion of sensitive information into log file vulnerability in proxy settings component in Synology Drive Client before 3.3.0-15082 allows remote authenticated users to obtain sensitive information via unspecified vectors.
Drive Client
CVE-2023-52946 Sep 26, 2024
Synology Drive Client v<3.5.0-16084 Buffer Overflow via vss (Remote Crash) Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in vss service component in Synology Drive Client before 3.5.0-16084 allows remote attackers to overwrite trivial buffers and crash the client via unspecified vectors.
Drive Client
CVE-2023-52947 Sep 26, 2024
Synology Active Backup Agent 2.6.3-3101 Auth Bypass in Logout Function Missing authentication for critical function vulnerability in logout functionality in Synology Active Backup for Business Agent before 2.6.3-3101 allows local users to logout the client via unspecified vectors. The backup functionality will continue to operate and will not be affected by the logout.
Active Backup Business Agent
CVE-2023-52948 Sep 26, 2024
Synology Active Backup Agent <2.7.0-3221: Missing Sensitive Data Encryption Missing encryption of sensitive data vulnerability in settings functionality in Synology Active Backup for Business Agent before 2.7.0-3221 allows local users to obtain user credential via unspecified vectors.
Active Backup Business Agent
CVE-2023-52949 Sep 26, 2024
Missing Auth in Proxy Settings in Synology Active Backup Agent <2.7.0-3221 Missing authentication for critical function vulnerability in proxy settings functionality in Synology Active Backup for Business Agent before 2.7.0-3221 allows local users to obtain user credential via unspecified vectors.
Active Backup Business Agent
CVE-2023-52950 Sep 26, 2024
Synology AB Agent <2.7.0-3221 Unencrypted Login Credentials Leak Missing encryption of sensitive data vulnerability in login component in Synology Active Backup for Business Agent before 2.7.0-3221 allows adjacent man-in-the-middle attackers to obtain user credential via unspecified vectors.
Active Backup Business Agent
CVE-2024-38640 Sep 06, 2024
Download Station 5.8.x XSS Enables Authenticated Network Code Injection A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Download Station 5.8.6.283 ( 2024/06/21 ) and later
Download Station
CVE-2024-39347 Jun 28, 2024
SRM Incorrect Default Permissions in Firewall before 1.3.1-9346-8 Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors.
Router Manager
CVE-2024-39348 Jun 28, 2024
Synology Router Manager AirPrint download integrity flaw before 1.3.1 Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors.
Router Manager
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.