Synology-SA-26:06 DSM

Abstract

• CVE-2026-40530, CVE-2026-4036, CVE-2026-40531, CVE-2026-40532, CVE-2026-40534, CVE-2026-40536, CVE-2026-40537 allow remote authenticated users to read or write arbitrary or limited files, conduct denial-of-service attacks, and obtain sensitive or non-sensitive information, including arbitrary sharing files.


• CVE-2026-40533, CVE-2026-40535, and CVE-2026-40538 allow remote attackers to obtain non-sensitive information, read or write limited files, and conduct limited denial-of-service attacks.


• CVE-2026-40539 allows man-in-the-middle attackers to read or write arbitrary files and conduct denial-of-service attacks.

Please refer to the 'Affected Products' table for the corresponding updates.

Affected Products

Mitigation

None

Detail

• CVE-2026-40530

  • Severity: Important
  • CVSS3 Base Score: 8.0
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
  • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40539

  • Severity: Important
  • CVSS3 Base Score: 7.1
  • CVSS3 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CWE-295: Improper Certificate Validation
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-4036

  • Severity: Moderate
  • CVSS3 Base Score: 6.5
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40531

  • Severity: Moderate
  • CVSS3 Base Score: 4.3
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CWE-190: Integer Overflow or Wraparound
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40532

  • Severity: Moderate
  • CVSS3 Base Score: 6.5
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CWE-425: Direct Request ('Forced Browsing')
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40533

  • Severity: Moderate
  • CVSS3 Base Score: 5.3
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CWE-202: Exposure of Sensitive Information Through Data Queries
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40534

  • Severity: Moderate
  • CVSS3 Base Score: 5.4
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40535

  • Severity: Moderate
  • CVSS3 Base Score: 6.5
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40536

  • Severity: Moderate
  • CVSS3 Base Score: 4.3
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40537

  • Severity: Moderate
  • CVSS3 Base Score: 4.3
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CWE-918: Server-Side Request Forgery (SSRF)
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2026-40538

  • Severity: Low
  • CVSS3 Base Score: 3.7
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CWE-307: Improper Restriction of Excessive Authentication Attempts
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Acknowledgement

• Warisse Valentin (Aytio) :

CVE-2026-40530, CVE-2026-40535, CVE-2026-40537

• Ben R of Interrupt Labs (https://www.interruptlabs.co.uk) :

CVE-2026-40539

• juhye0p, ZZoMb1E (STEALIEN INC.) :

CVE-2026-4036

• Pumpkin (@u1f383) from DEVCORE Research Team :

CVE-2026-40531

• izut and Searat from the Web Hacker Team（https://github.com/web-hacker-team/）:

CVE-2026-40532, CVE-2026-40536

• Allendraa A/L Anbalagan :

CVE-2026-40533

• HE JIASHENG :

CVE-2026-40534

• Andreas Rothenbacher (error401.de) :

CVE-2026-40538

Revision