Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.
AnalysisAI
Stored XSS in Synology Safe Access before 1.3.1-0329 on SRM (Synology Router Manager) allows remote authenticated administrators to inject malicious scripts that execute in the SRM context, enabling limited reads or writes of non-sensitive files and constrained denial-of-service conditions. The CVSS Scope:Changed rating confirms cross-component impact - the vulnerability originates in the Safe Access module but affects the broader SRM platform. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% and SSVC exploitation status of 'none' collectively indicate negligible current threat in the wild.
Technical ContextAI
Synology Safe Access is a parental-control and web-filtering application running within Synology Router Manager (SRM), the OS layer of Synology-branded routers. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input is reflected or stored and subsequently rendered without adequate sanitization or encoding, allowing script injection into the SRM web interface. The CVSS vector AV:N/AC:L/PR:H/UI:R/S:C captures the core mechanics: the attack is network-delivered, requires no special conditions to set up (AC:L), demands administrator credentials (PR:H), requires a victim to interact with the malicious content (UI:R), and the exploit scope extends beyond the Safe Access component into SRM (S:C). Affected versions are all Safe Access releases prior to 1.3.1-0329 per EUVD-2025-209953 and Synology advisory SA_25_11.
RemediationAI
Upgrade Synology Safe Access to version 1.3.1-0329 or later, as confirmed by Synology advisory SA_25_11 at https://www.synology.com/en-global/security/advisory/Synology_SA_25_11. This is the primary and recommended fix; vendor-released patched version 1.3.1-0329 is confirmed available. As an interim compensating control, organizations may restrict Safe Access administrative access to trusted internal networks only, reducing the network-reachable attacker surface - this does not eliminate the vulnerability but raises the bar for exploitation since the CVSS attack vector is Network. Given that the vulnerability requires administrator-level credentials and user interaction, enforcing multi-admin environments with strong authentication (e.g., 2FA on SRM admin accounts) further limits realistic exploitability while patching is scheduled.
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authe
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allo
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remot
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allo
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to exec
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 all
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to acce
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209953
GHSA-q5vj-c9px-46jv