CVE-2025-10466 PUBLISHED

Assigner: synology
Reserved: 15.09.2025 Published: 27.05.2026 Updated: 27.05.2026

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CVSS Score: 5.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Synology
Product	Safe Access
Versions	Default: affected affected from * to 1.3.1-0329 (excl.)

Credits

Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC) finder

References

Synology-SA-25:11 Safe Access

Problem Types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE