12
CVEs
1
Critical
5
High
0
KEV
0
PoC
5
Unpatched C/H
25.0%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
5
MEDIUM
6
LOW
0
Monthly CVE Trend
Affected Products (17)
Diskstation Manager
8
Beedrive
4
Active Backup For Business Agent
3
File Station
3
Diskstation Manager Unified Controller
3
Beestation Os
3
Drive Server
2
Cc400W Firmware
1
Memory Corruption
1
Bc500 Firmware
1
Tc500 Firmware
1
Replication Service
1
Unified Controller
1
Presto Client
1
Mail Server
1
Openclaw
1
Active Backup For Microsoft 365
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2024-45538 | Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors. | CRITICAL | 9.6 | 0.1% | 48 |
No patch
|
| CVE-2026-31998 | Synology OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail open, allowing authenticated Synology senders to dispatch unauthorized agents and execute downstream tool actions. The vulnerability requires network access and low-complexity exploitation, with a patch currently available. | HIGH | 8.3 | 0.0% | 42 |
|
| CVE-2025-54160 | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | HIGH | 7.8 | 0.0% | 39 |
No patch
|
| CVE-2025-54158 | Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | HIGH | 7.8 | 0.0% | 39 |
No patch
|
| CVE-2024-45539 | Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors. | HIGH | 7.5 | 0.2% | 38 |
No patch
|
| CVE-2025-54159 | Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors. | HIGH | 7.5 | 0.1% | 38 |
No patch
|
| CVE-2026-3091 | Synology Presto Client versions prior to 2.1.3-0672 are vulnerable to DLL hijacking during installation, enabling local attackers with user privileges to read or write arbitrary files by placing malicious libraries in the installer directory. The vulnerability requires user interaction and local access but grants high-impact capabilities including confidentiality and integrity violations. No patch is currently available. | MEDIUM | 6.7 | 0.0% | 34 |
No patch
|
| CVE-2026-32911 | Synology OpenClaw versions prior to 2026.2.24 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail to enforce access controls. Authenticated attackers with Synology sender privileges can exploit this flaw to send unauthorized messages through downstream agents and tools. A patch is available. | MEDIUM | 6.4 | – | 32 |
|
| CVE-2025-2848 | A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions. | MEDIUM | 6.3 | 0.1% | 32 |
No patch
|
| CVE-2026-35635 | OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in its Synology Chat extension that allows unauthenticated remote attackers to bypass per-account direct message access controls by collapsing multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to replace route ownership across accounts, potentially gaining unauthorized access to account-specific resources. No public exploit code or active exploitation has been confirmed at the time of analysis. | MEDIUM | 6.3 | 0.0% | 32 |
|
| CVE-2025-8074 | Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors. | MEDIUM | 5.6 | 0.0% | 28 |
No patch
|
| CVE-2024-5401 | Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors. | MEDIUM | 4.3 | 0.1% | 22 |
No patch
|