CVE-2026-3091 | THREATINT

Description

An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer.

PUBLISHED Reserved 2026-02-24 | Published 2026-02-24 | Updated 2026-02-24 | Assigner synology

MEDIUM: 6.7CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

Uncontrolled Search Path Element

Product status

Default status

affected

* (semver) before 2.1.3-0672

affected

Credits

Sahil Shah finder

References

www.synology.com/...obal/security/advisory/Synology_SA_26_02 (Synology-SA-26:02 Synology Presto Client) vendor-advisory

cve.org (CVE-2026-3091)

nvd.nist.gov (CVE-2026-3091)

Download JSON