CVE-2025-61672 Synapse: Invalid device keys degrade federation functionality

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeserver...

PT-2021-14428 · Synapse +1 · Synapse +1

Name of the Vulnerable Software and Affected Versions: Synapse versions prior to 1.27.0 Description: The notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow a...

CVE-2020-26891

AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the...

Visual Synapse HTTP Server directory traversal

Directory traversal with backslash...