{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3091", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "state": "PUBLISHED", "assignerShortName": "synology", "dateReserved": "2026-02-24T01:34:19.753Z", "datePublished": "2026-02-24T02:31:20.298Z", "dateUpdated": "2026-02-24T20:48:54.091Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Uncontrolled Search Path Element", "cweId": "CWE-427", "type": "CWE"}]}], "affected": [{"vendor": "Synology", "product": "Synology Presto Client", "versions": [{"version": "*", "status": "affected", "lessThan": "2.1.3-0672", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1"}}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_26_02", "name": "Synology-SA-26:02 Synology Presto Client", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "Sahil Shah", "type": "finder"}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2026-02-24T02:31:20.298Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:48:28.071520Z", "id": "CVE-2026-3091", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:48:54.091Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3091", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:48:28.071520Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:48:47.569Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Sahil Shah"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Synology", "product": "Synology Presto Client", "versions": [{"status": "affected", "version": "*", "lessThan": "2.1.3-0672", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_26_02", "name": "Synology-SA-26:02 Synology Presto Client", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2026-02-24T02:31:20.298Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3091", "state": "PUBLISHED", "dateUpdated": "2026-02-24T20:48:54.091Z", "dateReserved": "2026-02-24T01:34:19.753Z", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "datePublished": "2026-02-24T02:31:20.298Z", "assignerShortName": "synology"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synology:presto_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "40238C76-F264-425A-948A-34ABDE0AA07A", "versionEndExcluding": "2.1.3-0672", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer."}, {"lang": "es", "value": "Una vulnerabilidad de elemento de ruta de b\u00fasqueda no controlado en Synology Presto Cliente antes de 2.1.3-0672 permite a usuarios locales leer o escribir archivos arbitrarios durante la instalaci\u00f3n al colocar una DLL maliciosa de antemano en el mismo directorio que el instalador."}], "id": "CVE-2026-3091", "lastModified": "2026-03-04T02:21:20.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "security@synology.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-24T03:16:03.890", "references": [{"source": "security@synology.com", "tags": ["Vendor Advisory"], "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_26_02"}], "sourceIdentifier": "security@synology.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "security@synology.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.3-0672)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Synology Presto Client", "source": "cna", "vendor": "Synology"}, "product": "synology_presto_client", "vendor": "synology"}], "analysis": {"en": {"generated_at": "2026-04-17T15:53:58.331413+00:00", "value": {"mitigation_remediation": ["Install Synology Presto Client version 2.1.3-0672 or later, which removes the vulnerable search path handling.", "Ensure the installation directory does not contain any DLL files before running the installer; delete any unexpected DLLs.", "Apply file system permissions that restrict write access to the installer directory, preventing untrusted users from dropping DLLs.", "Monitor installation activity for unexpected DLL execution, and respond to any alerts by logging and investigating the source."], "summary": {"action": "Upgrade", "impact": "Local File Access"}, "threat_synthesis": {"affected_systems": "Synology Presto Client applications older than version 2.1.3-0672, including all builds released prior to that version, are vulnerable.", "description_and_impact": "This vulnerability involves an uncontrolled search path element in Synology Presto Client before version 2.1.3-0672. During installation, if a user places a malicious DLL file in the same folder as the installer, the client may load that DLL, allowing the local user to read or modify arbitrary files on the system. This flaw is described by CWE-427, which can enable arbitrary code execution if the DLL runs with elevated privileges.", "risk_and_exploitability": "The CVSS score is 6.7 (medium), and the EPSS score is less than 1%, indicating a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access; the attacker must be able to execute the installer and place a DLL in its directory. Given the local requirement and low EPSS, the overall risk is moderate but warrants mitigation."}}}}, "created": "2026-02-24T09:53:19.162913+00:00", "title": "Uncontrolled Search Path Element Allows Local Users to Read/Write Arbitrary Files During Installation", "updated": "2026-04-17T16:00:11.379215+00:00", "vendors": ["synology", "synology$PRODUCT$synology_presto_client"]}