Improper neutralization of input during web page generation creates a Cross‑Site Scripting (XSS) flaw in the contact functionality of Synology Contacts. The vulnerability can be exploited by users who are authenticated to the system, allowing them to read or write specific files that contain non‑sensitive data. The weakness stems from inadequate filtering of user input before rendering output, which can result in the execution of arbitrary scripts within the browser context of an authenticated session. This compromises the confidentiality and integrity of user‑controlled content and may aid in further lateral movement.

The affected product is Synology Contacts, any deployment using Synology Contacts version prior to 1.0.10‑20659. No specific version numbers beyond the upper bound are listed, so all earlier releases are potential targets.

The CVSS score of 5.4 indicates a medium severity. No EPSS value is provided, so the current exploitation probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated web session where the attacker submits specially crafted input through the contact interface, resulting in client‑side script execution that can read or modify accessible files. The need for authentication limits the attack horizon to users who already have legitimate credentials, but it still permits potentially destructive actions within the sandbox of the web application.