Cross-site Scripting Vulnerability in Synology Contacts by Synology
CVE-2025-13167

5.4MEDIUM

Key Information:

Vendor: Synology
Status: Synology Contacts
Vendor: CVE Published:; 27 May 2026

What is CVE-2025-13167?

A Cross-site Scripting (XSS) vulnerability exists in the contact functionality of Synology Contacts prior to version 1.0.10-20659. This flaw allows remote authenticated users to exploit the system by reading or writing certain files that contain non-sensitive information. The vulnerability arises from improper handling of user input during the web page generation process. Attackers can utilize this loophole through unspecified vectors, potentially impacting the integrity of user data and system functionality.

Affected Version(s)

Synology Contacts *

References

https://www.synology.com/en-global/security/advisory/Syno...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Nov 14, 2025

Credit

Warisse Valentin (Aytio)

CVE-2025-13167 Data

JSON