Synology: Three Security Advisories on Resolved Vulnerabilities
Concerning DSM (DiskStation Manager) and SSL VPN client
This is a Press Release edited by StorageNewsletter.com on April 21, 2026 at 2:00 pmSynology, Inc. had published 3 security advisories on resolved vulnerabilities concerning DSM (DiskStation Manager) and SSL VPN client.
Synology-SA-26:07 DSM
Publish Time: 2026-04-15 14:23:59 UTC+8
Last Updated: 2026-04-15 14:25:52 UTC+8
Severity: Moderate
Status: Resolved
Abstract
Synology has released a security update for the DSM to address a vulnerability :
-
CVE-2026-40540 allows remote authenticated users to obtain non-sensitive information
Refer to the ‘Affected Products’ table for the corresponding updates.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
DSM 7.3 |
Moderate |
Upgrade to 7.3-81180 or above. |
|
DSM 7.2.2 |
Moderate |
Upgrade to 7.2.2-72806-7 or above. |
|
DSM 7.2.1 |
Moderate |
Upgrade to 7.2.1-69057-10 or above. |
Mitigation: None
Detail: Reserved
Acknowledgement: Warisse Valentin (Aytio)
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2026-04-15 |
Initial public release. |
Synology-SA-26:06 DSM
Publish Time: 2026-04-15 14:23:26 UTC+8
Last Updated: 2026-04-15 14:25:20 UTC+8
Severity: Important
Status: Resolved
Abstract
Synology has released a security update for the DSM to address multiple vulnerabilities :
- CVE-2026-40530, CVE-2026-4036, CVE-2026-40531, CVE-2026-40532, CVE-2026-40534, CVE-2026-40536, CVE-2026-40537 allow remote authenticated users to read or write arbitrary or limited files, conduct denial-of-service attacks, and obtain sensitive or non-sensitive information, including arbitrary sharing files
- CVE-2026-40533, CVE-2026-40535, and CVE-2026-40538 allow remote attackers to obtain non-sensitive information, read or write limited files, and conduct limited denial-of-service attacks
- CVE-2026-40539 allows man-in-the-middle attackers to read or write arbitrary files and conduct denial-of-service attacks
Refer to the ‘Affected Products’ table for the corresponding updates.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
DSM 7.3 |
Important |
Upgrade to 7.3.2-86009-2 or above. |
|
DSM 7.2.2 |
Important |
Upgrade to 7.2.2-72806-7 or above. |
|
DSM 7.2.1 |
Important |
Upgrade to 7.2.1-69057-10 or above. |
Mitigation: None
Detail :
-
CVE-2026-40530
- Severity: Important
- CVSS3 Base Score: 8.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- CWE-93: Improper Neutralization of CRLF Sequences (‘CRLF Injection’)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40539
- Severity: Important
- CVSS3 Base Score: 7.1
- CVSS3 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- CWE-295: Improper Certificate Validation
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-4036
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40531
- Severity: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-190: Integer Overflow or Wraparound
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40532
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CWE-425: Direct Request (‘Forced Browsing’)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40533
- Severity: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE-202: Exposure of Sensitive Information Through Data Queries
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40534
- Severity: Moderate
- CVSS3 Base Score: 5.4
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40535
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40536
- Severity: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40537
- Severity: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE-918: Server-Side Request Forgery (SSRF)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
-
CVE-2026-40538
- Severity: Low
- CVSS3 Base Score: 3.7
- CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE-307: Improper Restriction of Excessive Authentication Attempts
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
Acknowledgement:
- Warisse Valentin (Aytio) :
- CVE-2026-40530, CVE-2026-40535, CVE-2026-40537
- Ben R of Interrupt Labs (https://www.interruptlabs.co.uk) :
- CVE-2026-40539
- juhye0p, ZZoMb1E (STEALIEN INC.) :
- CVE-2026-4036
- Pumpkin (@u1f383) from DEVCORE Research Team :
- CVE-2026-40531
- izut and Searat from the Web Hacker Team(https://github.com/web-hacker-team/):
- CVE-2026-40532, CVE-2026-40536
- Allendraa A/L Anbalagan :
- CVE-2026-40533
- HE JIASHENG :
- CVE-2026-40534
- Andreas Rothenbacher (error401.de) :
- CVE-2026-40538
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2026-04-15 |
Initial public release. |
Synology-SA-26:05 Synology SSL VPN Client
Publish Time: 2026-04-10 17:21:40 UTC+8
Last Updated: 2026-04-10 17:21:40 UTC+8
Severity: Important
Status: Resolved
Abstract
Synology has released a security update for the Synology SSL VPN Client utility to address vulnerabilities:
- CVE-2021-47960 allows remote attackers to access sensitive files from the SSL VPN Client installation directory via a local HTTP service when a user interacts with a crafted web page
- CVE-2021-47961 allows remote attackers to obtain or manipulate the PIN code in SSL VPN Client, potentially leading to unauthorized VPN configuration and traffic interception when a user interacts with a crafted web page
Refer to the Affected Products table for the corresponding updates.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
Synology SSL VPN Client |
Important |
Upgrade to 1.4.5-0684 or above. |
Mitigation: None
Detail:
-
CVE-2021-47960
- Severity: Important
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- CWE-552: Files or Directories Accessible to External Parties
- A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure
-
CVE-2021-47961
- Severity: Important
- CVSS3 Base Score: 8.1
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- CWE-256: Plaintext Storage of a Password
- A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user’s PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction
Acknowledgement
Laurent Sibilla (https://www.linkedin.com/in/lsibilla/)
Reference
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2026-04-10 |
Initial public release. |
|
2 |
2026-04-10 |
Disclosed vulnerability details. |
Subscribe to our free daily newsletter
