Synology Diskstation Manager — known CVE vulnerabilities
Every CVE whose affected-product data names Synology Diskstation Manager, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (97)
CVE-2022-27625 — CVSS 10.0 (critical): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processing…
CVE-2013-6955 — CVSS 10.0 (critical): webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1…
CVE-2022-27624 — CVSS 10.0 (critical): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the packet decryption…
CVE-2022-27626 — CVSS 10.0 (critical): A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the…
CVE-2021-27647 — CVSS 9.8 (critical): Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote…
CVE-2021-27646 — CVSS 9.8 (critical): Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers…
CVE-2021-26569 — CVSS 9.8 (critical): Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows…
CVE-2024-10441 — CVSS 9.8 (critical): Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and…
CVE-2018-1160 — CVSS 9.8 (critical): Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker…
CVE-2017-14491 — CVSS 9.8 (critical): Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code…
CVE-2021-27649 — CVSS 9.8 (critical): Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote…
CVE-2022-22687 — CVSS 9.8 (critical): Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology…
CVE-2024-45538 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and…
CVE-2021-26560 — CVSS 9.0 (critical): Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before…
CVE-2021-26562 — CVSS 9.0 (critical): Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle…
CVE-2021-26561 — CVSS 9.0 (critical): Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows…
CVE-2022-22688 — CVSS 8.8 (high): Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology…
CVE-2021-44142 — CVSS 8.8 (high): The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and…
CVE-2017-15889 — CVSS 8.8 (high): Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to…
CVE-2021-31439 — CVSS 8.8 (high): This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager…
CVE-2021-29085 — CVSS 8.6 (high): Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management…
CVE-2021-26564 — CVSS 8.3 (high): Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3…
CVE-2018-8919 — CVSS 8.3 (high): Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote…
CVE-2020-27648 — CVSS 8.3 (high): Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows…
CVE-2020-27652 — CVSS 8.3 (high): Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle…
CVE-2020-27653 — CVSS 8.3 (high): Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to…
CVE-2021-26565 — CVSS 8.3 (high): Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3…
CVE-2021-26566 — CVSS 8.3 (high): Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3…
CVE-2021-26563 — CVSS 8.2 (high): Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to…
CVE-2025-13392 — CVSS 8.1 (high): Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and…
CVE-2021-26567 — CVSS 7.8 (high): Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via…
CVE-2018-8897 — CVSS 7.8 (high): A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the…
CVE-2021-29088 — CVSS 7.8 (high): Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM)…
CVE-2014-2264 — CVSS 7.8 (high): The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier…
CVE-2019-9517 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The…
CVE-2019-9518 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a…
CVE-2024-10444 — CVSS 7.5 (high): Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8…
CVE-2017-9553 — CVSS 7.5 (high): A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the…
CVE-2025-1021 — CVSS 7.5 (high): Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3…
CVE-2021-29084 — CVSS 7.5 (high): Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report…
CVE-2024-45539 — CVSS 7.5 (high): Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology…
CVE-2019-9511 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a…
CVE-2019-9513 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple…
CVE-2019-9514 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of…
CVE-2019-9515 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2013-6987 — CVSS 7.5 (high): Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3…
CVE-2021-29087 — CVSS 7.5 (high): Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation…
CVE-2018-13284 — CVSS 7.5 (high): Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to…
CVE-2018-7184 — CVSS 7.5 (high): ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a…
CVE-2018-7185 — CVSS 7.5 (high): The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending…
CVE-2022-27623 — CVSS 7.4 (high): Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before…
CVE-2018-13280 — CVSS 7.4 (high): Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739…
CVE-2021-29083 — CVSS 7.2 (high): Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before…
CVE-2018-8920 — CVSS 7.2 (high): Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote…
CVE-2022-22684 — CVSS 7.2 (high): Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in…
CVE-2022-27616 — CVSS 7.2 (high): Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology…
CVE-2017-12075 — CVSS 7.2 (high): Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to…
CVE-2022-22679 — CVSS 6.5 (medium): Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology…
CVE-2017-15894 — CVSS 6.5 (medium): Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and…
CVE-2017-16766 — CVSS 6.5 (medium): An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6…
CVE-2017-16774 — CVSS 6.5 (medium): Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3…
CVE-2018-13286 — CVSS 6.5 (medium): Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote…
CVE-2018-8917 — CVSS 6.5 (medium): Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to…
CVE-2019-14907 — CVSS 6.5 (medium): All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level =…
CVE-2019-19344 — CVSS 6.5 (medium): There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions before 4.10.12 and all samba 4.11.x…
CVE-2019-9516 — CVSS 6.5 (medium): Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2020-27656 — CVSS 6.5 (medium): Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows…
CVE-2021-43929 — CVSS 6.5 (medium): Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in…
CVE-2022-27610 — CVSS 6.5 (medium): Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation…
CVE-2023-0142 — CVSS 6.5 (medium): Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before…
CVE-2018-8916 — CVSS 6.3 (medium): Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote…
CVE-2019-3870 — CVSS 6.1 (medium): A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD…
CVE-2023-2729 — CVSS 5.9 (medium): Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561…
CVE-2018-13293 — CVSS 5.9 (medium): Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows…
CVE-2020-27650 — CVSS 5.8 (medium): Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which…
CVE-2017-5753 — CVSS 5.6 (medium): Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an…
CVE-2024-0854 — CVSS 5.4 (medium): URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before…
CVE-2021-29086 — CVSS 5.3 (medium): Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before…
CVE-2024-50629 — CVSS 5.3 (medium): Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and Synology…
CVE-2022-22680 — CVSS 5.3 (medium): Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before…
CVE-2017-9554 — CVSS 5.3 (medium): An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers…
CVE-2022-3576 — CVSS 5.3 (medium): A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. This allows…
CVE-2018-7170 — CVSS 5.3 (medium): ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create…
CVE-2021-33182 — CVSS 5.0 (medium): Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology…
CVE-2015-2809 — CVSS 5.0 (medium): The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source…
CVE-2017-12076 — CVSS 4.9 (medium): Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows…
CVE-2021-43925 — CVSS 4.7 (medium): Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in…
CVE-2021-43926 — CVSS 4.7 (medium): Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in…
CVE-2021-43927 — CVSS 4.7 (medium): Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in…
CVE-2012-1556 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to…
CVE-2018-13291 — CVSS 4.3 (medium): Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote…
CVE-2015-4655 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject…
CVE-2024-10445 — CVSS 4.3 (medium): Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Synology…
CVE-2024-5401 — CVSS 4.3 (medium): Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before…
CVE-2018-13281 — CVSS 4.3 (medium): Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated…
CVE-2022-27622 — CVSS 4.1 (medium): Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661…