Description
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.
Published: 2026-05-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improperly neutralized input vulnerability, classified as CWE‑79, exists in Synology Safe Access prior to version 1.3.1‑0329. The flaw allows a remote authenticated user with administrator privileges to inject JavaScript into dynamically generated web pages, enabling the attacker to read or write specific files that contain non‑sensitive information or to perform a limited denial‑of‑service attack against the Synology Remote Management (SRM) system.

Affected Systems

The affected product is Synology Safe Access. Versions before 1.3.1‑0329 are vulnerable. No further version details are provided.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, implying a lower known exploitation prevalence. Exploitation requires the attacker to be authenticated as an administrator; once logged in, the attacker can craft malicious input to trigger the XSS flaw. The impact includes unauthorized file read/write of non‑sensitive data and the ability to cause a limited denial‑of‑service.

Generated by OpenCVE AI on May 27, 2026 at 10:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Synology Safe Access security update that includes patch v1.3.1‑0329 or later.
  • Limit administrator access to trusted users and networks, and consider removing unnecessary admin rights.
  • Perform input validation and output encoding on any user‑supplied data rendered in web pages to mitigate XSS.

Generated by OpenCVE AI on May 27, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Synology Safe Access Allows File Access and Limited Denial-of-Service

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T13:44:57.358Z

Reserved: 2025-09-15T07:33:56.204Z

Link: CVE-2025-10466

cve-icon Vulnrichment

Updated: 2026-05-27T13:44:51.076Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T09:16:26.230

Modified: 2026-05-27T14:54:20.160

Link: CVE-2025-10466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:30:28Z

Weaknesses