CVE-2025-10466

MEDIUM 5.9

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.

CWE	CWE-79
Vendor	synology
Product	safe access
Published	May 27, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for synology safe access

Be the first to know when new medium vulnerabilities affecting synology safe access are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

Synology / Safe Access

* < 1.3.1-0329

References

NVD ↗ CVE.org ↗ EPSS Data ↗

synology.com: https://www.synology.com/en-global/security/advisory/Synology_SA_25_11

Credits

Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)