CVE-2026-3091

MEDIUM 6.7

CVSS Score

6.7

EPSS Score

0.0%

EPSS Percentile

0th

An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer.

CWE	CWE-427
Vendor	synology
Product	synology presto client
Published	Feb 24, 2026
Last Updated	Feb 24, 2026

Stay Ahead of the Next One

Get instant alerts for synology synology presto client

Be the first to know when new medium vulnerabilities affecting synology synology presto client are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Synology / Synology Presto Client

* < 2.1.3-0672

References

NVD ↗ CVE.org ↗ EPSS Data ↗

synology.com: https://www.synology.com/en-global/security/advisory/Synology_SA_26_02

Credits

Sahil Shah