cbcvebase.

Synology Diskstation Manager vulnerabilities

97 known vulnerabilities affecting synology/diskstation_manager.

Total CVEs
97
CISA KEV
1
actively exploited
Public exploits
11
Exploited in wild
3
Severity breakdown
CRITICAL19HIGH47MEDIUM29LOW2

Vulnerabilities

Page 2 of 5
CVE-2024-10441P3CRITICALCVSS 9.8≥ 7.2, < 7.2-64570-4≥ 7.2.1-69057, < 7.2.1-69057-6+3 more2025-03-19
CVE-2024-10441 [CRITICAL] CWE-116 CVE-2024-10441: Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeSta Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors.
nvd
CVE-2021-31439P3HIGHCVSS 8.8≥ 6.2, < 6.2.3-25426-3v6.1.1-15101-42021-05-21
CVE-2021-31439 [HIGH] CWE-122 CVE-2021-31439: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installat This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-s
nvd
CVE-2018-13284P3HIGHCVSS 8.8≥ 5.2, < 5.2-5967-8≥ 6.0, < 6.0.3-8754-8+3 more2019-04-01
CVE-2018-13284 [HIGH] CWE-78 CVE-2018-13284: Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 all Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.
nvd
CVE-2022-22688P3HIGHCVSS 8.8≥ 7.0, < 7.0.1-42214≥ 6.2, < 6.2.4-25556-2+1 more2022-03-25
CVE-2022-22688 [HIGH] CWE-77 CVE-2022-22688: Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
nvd
CVE-2022-27623P3CRITICALCVSS 9.1fixed in 7.1-42661≥ unspecified, < 7.1-426612022-10-25
CVE-2022-27623 [CRITICAL] CWE-306 CVE-2022-27623: Missing authentication for critical function vulnerability in iSCSI management functionality in Syno Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors.
nvd
CVE-2022-22687P3CRITICALCVSS 9.8≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32022-03-25
CVE-2022-22687 [CRITICAL] CWE-120 CVE-2022-22687: Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authenticati Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
nvd
CVE-2024-5401P3HIGHCVSS 8.8≥ 7.2.1-69057, < 7.2.1-69057-2≥ 7.2.2-72803, < 7.2.2-72806+2 more2025-12-04
CVE-2024-5401 [HIGH] CWE-913 CVE-2024-5401: Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.
nvd
CVE-2021-43925P3CRITICALCVSS 9.8≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2021-43925 [CRITICAL] CWE-89 CVE-2021-43925: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability i Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
nvd
CVE-2021-43926P3CRITICALCVSS 9.8≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2021-43926 [CRITICAL] CWE-89 CVE-2021-43926: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability i Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
nvd
CVE-2019-9517P3HIGHCVSS 7.5v6.22019-08-13
CVE-2019-9517 [HIGH] CWE-400 CVE-2019-9517: Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially lead Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requ
nvd
CVE-2019-9518P3HIGHCVSS 7.5v6.22019-08-13
CVE-2019-9518 [HIGH] CWE-400 CVE-2019-9518: Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a deni Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandw
nvd
CVE-2021-43927P3CRITICALCVSS 9.8≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2021-43927 [CRITICAL] CWE-89 CVE-2021-43927: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability i Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
nvd
CVE-2019-9516P3MEDIUMCVSS 6.5v6.22019-08-13
CVE-2019-9516 [MEDIUM] CWE-400 CVE-2019-9516: Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of serv Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the
nvd
CVE-2021-27649P3CRITICALCVSS 9.8≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-27649 [CRITICAL] CWE-416 CVE-2021-27649: Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DS Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
nvd
CVE-2021-26569P3HIGHCVSS 8.1fixed in 6.2.3-25426-32021-03-12
CVE-2021-26569 [HIGH] CWE-366 CVE-2021-26569: Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Man Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
nvd
CVE-2022-27626P3HIGHCVSS 8.1fixed in 7.1.1-42962-2≥ unspecified, < 7.1.1-42962-22022-10-20
CVE-2022-27626 [HIGH] CWE-362 CVE-2022-27626: A vulnerability regarding concurrent execution using shared resource with improper synchronization ( A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions
nvd
CVE-2021-26566P3CRITICALCVSS 9.0fixed in 6.2.3-25426-32021-02-26
CVE-2021-26566 [CRITICAL] CWE-201 CVE-2021-26566: Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStatio Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
nvd
CVE-2022-27616P3HIGHCVSS 7.2≥ 6.2, < 6.2.4-25556-5≥ 7.0, < 7.0.1-42218-3+1 more2022-08-03
CVE-2022-27616 [HIGH] CWE-78 CVE-2022-27616: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
nvd
CVE-2024-45538P3CRITICALCVSS 9.6≥ 7.2.1-69057, < 7.2.1-69057-2≥ 7.2.2-72803, < 7.2.2-72806+2 more2025-12-04
CVE-2024-45538 [CRITICAL] CWE-352 CVE-2024-45538: Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.
nvd
CVE-2018-8916P3HIGHCVSS 8.8fixed in 6.2-23739≥ unspecified, < 6.2-237392018-06-08
CVE-2018-8916 [HIGH] CWE-620 CVE-2018-8916: Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) be Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.
nvd
Synology Diskstation Manager vulnerabilities | cvebase