CVE-2026-48877

Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0...

CVE-2026-40849

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the useralarmprofile view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40842

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40843

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40844

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40845

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devicesconfiguration view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40840

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40846

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40841

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40834

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashlayout.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non...

CVE-2026-40839

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40837

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40836

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a...

CVE-2026-40838

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40835

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40832

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40830

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical...

CVE-2026-40828

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can...

CVE-2026-40827

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can resu...

CVE-2026-40829

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical...

CVE-2026-40833

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non...

CVE-2026-40831

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2025-52747

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS. This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2...

CVE-2026-2237

A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive information...

CVE-2025-66593

An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation...

CVE-2025-66592

An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation...

CVE-2025-30028

A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files...

CVE-2025-13167

Improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors...

CVE-2024-47272

Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors...

CVE-2025-10466

Improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct...

CVE-2025-12686

Buffer copy without checking size of input 'Classic Buffer Overflow' vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors...

CVE-2025-22741

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RiceTheme Felan Framework allows Reflected XSS. This issue affects Felan Framework: from n/a through 1.1.3...

CVE-2025-13392

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager DSM before 7.2.2-72806-5 and 7.3.1-86003-1 7.2.1-69057 is not affected allows remote attackers to bypass authentication with prior knowledge of the distinguished name DN...

CVE-2025-13593

Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation...

CVE-2025-14713

An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server...

CVE-2024-11399

Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks via unspecified vectors...

CVE-2024-47270

Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors...

CVE-2024-47268

Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors...

CVE-2024-47267

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vecto...

CVE-2024-47269

Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors...

CVE-2024-47271

Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors...

CVE-2023-52945

Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors...

CVE-2026-8906

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

CVE-2026-8832

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capabilitytype or capability...

CVE-2026-8143

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hbcountryiso', 'hbusastateiso', and 'hbcanadaprovinceiso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-8042

The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2026-7618

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2026-8942

The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metamagicupdateoptions function. This makes it possible for unauthenticated attackers to modify the...

CVE-2026-49001

Cross-site request forgery CSRF vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data...

CVE-2026-6169

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString method which compiles user-supplied template content into PHP code and executes it via eval...