Synology-SA-26:11 Synology MailPlus Server

Abstract

• CVE-2026-13136 allows remote attackers to read or write arbitrary files and conduct denial-of-service attacks.
• CVE-2025-15660 (ZDI-CAN-28554) allows adjacent attackers to read or write arbitrary files and conduct denial-of-service attacks.
• CVE-2026-13135 (ZDI-CAN-28485) allows remote attackers to access internal services.

Please refer to the 'Affected Products' table for the corresponding updates.

Affected Products

Mitigation

None

Detail

• CVE-2026-13136

  • Severity: Critical
  • CVSS3 Base Score: 10.0
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CWE-863: Incorrect Authorization
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2025-15660

  • Severity: Critical
  • CVSS3 Base Score: 9.6
  • CVSS3 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-13135

  • Severity: Moderate
  • CVSS3 Base Score: 5.3
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Acknowledgement

• gcali (_gcali) working with Trend Micro Zero Day Initiative

• ABBA Labs

Reference

• CVE-2025-15660
• CVE-2026-13135
• CVE-2026-13136

Revision