ByteOS Network

CVE Vulnerability Details :

CVE-2025-13167

PUBLISHED

More Info Official Page

Assigner-synology

Assigner Org ID-db201096-a0cc-46c7-9a55-61d9e221bf01

Published At-27 May, 2026 | 08:34

Updated At-27 May, 2026 | 08:34

▼CVE Numbering Authority (CNA)

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors.

Affected Products

Vendor

Synology, Inc.

Product

Synology Contacts

Default Status

affected

Versions

Affected

From * before 1.0.10-20659 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Type: CWE

CWE ID: CWE-79

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metrics

Version	Base score	Base severity	Vector
3.1	5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Version: 3.1

Base score: 5.4

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Credits

finder

Warisse Valentin (Aytio)

References

Hyperlink	Resource
https://www.synology.com/en-global/security/advisory/Synology_SA_25_13	vendor-advisory

Hyperlink: https://www.synology.com/en-global/security/advisory/Synology_SA_25_13

Resource:

vendor-advisory

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References