CVE-2025-10466
Analyzed Analyzed - Analysis Complete
Cross-Site Scripting in Synology Safe Access

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: Synology Inc.

Description
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10466
EUVD
EUVD-2025-209953
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
synology safe_access to 1.3.1-0329 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the CVE-2025-10466 vulnerability in Synology Safe Access, users should upgrade the Safe Access package in SRM to version 1.3.1-0329 or later.

This update addresses the Cross-site Scripting vulnerability that allows remote authenticated users with administrator privileges to read or write limited files or conduct limited denial-of-service.

Executive Summary

CVE-2025-10466 is a Cross-site Scripting (XSS) vulnerability in Synology Safe Access before version 1.3.1-0329. It occurs due to improper neutralization of input during web page generation, which allows remote authenticated users with administrator privileges to exploit the system.

Specifically, this vulnerability enables these users to read or write certain files containing non-sensitive information or to conduct a limited denial-of-service attack on the Synology Router Manager (SRM).

Impact Analysis

This vulnerability can impact you by allowing remote authenticated administrators to read or modify specific files that contain non-sensitive information, potentially leading to unauthorized changes or information disclosure.

Additionally, it can be used to perform a limited denial-of-service attack on the Synology Router Manager, which may disrupt normal network operations.

The overall risk is moderate, with a CVSS base score of 5.9, indicating that while the impact is not critical, it still poses a significant security concern that should be addressed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart