What is the CVSS score of CVE-2026-2237?

CVE-2026-2237 has a CVSS 3.1 base score of 6.2 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-2237?

Yes, a patch is available for CVE-2026-2237. Update the affected software to the latest version immediately.

Synology Storage Manager CVE-2026-2237

EUVD-2026-32153 MEDIUM

Use of GET Request Method With Sensitive Query Strings (CWE-598)

2026-05-27 security@synology.com

GHSA-5v68-527q-prqv

Information Disclosure Synology

6.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 22:21 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information.

AnalysisAI

Volume encryption in Synology Storage Manager before version 1.0.1-1100 transmits sensitive data via HTTP GET query strings, exposing encryption-related secrets to local attackers who can access web server logs, browser history, or other locally readable URL artifacts. The flaw (CWE-598) requires no privileges or user interaction beyond local system presence, and carries a High confidentiality impact rating because credentials or passphrases associated with volume encryption may be recoverable from logged GET requests. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2025-12686 CRITICAL Act Now

9.8 May 27

Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the

CVE-2025-13392 HIGH This Week

8.1 May 27

Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know

CVE-2025-14713 HIGH This Week

7.5 May 27

Credential disclosure in Synology C2 Identity Edge Server (DSM versions before 1.76.0-0307) allows remote unauthenticate

CVE-2025-13593 MEDIUM This Month

6.1 May 27

Arbitrary file write with restricted content in Synology ActiveProtect Agent before 1.1.0-0439 is exploitable by local u

CVE-2025-66592 MEDIUM This Month

6.1 May 27

Synology Active Backup for Business Agent before version 3.1.0-4967 contains an origin validation error (CWE-346) that p

CVE-2026-2237 vulnerability details – vuln.today

Back

Synology Storage Manager CVE-2026-2237

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code