Aggregates CVE and security vulnerability intelligence across all syncthing-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk path handling and related security problems, affecting vendor surface software deployment and vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-46165 | Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically. Additionally adding a new device with a malicious name could embed HT | [email protected] | 4.6 | 0.76% | 2023-06-06 | 2024-11-21 |
| CVE-2021-21404 | Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which po | [email protected] | 7.5 | 0.25% | 2021-04-06 | 2024-11-21 |
| CVE-2017-1000420 | Syncthing version 0.14.33 and older is vulnerable to symlink traversal resulting in arbitrary file overwrite | [email protected] | 7.5 | 0.27% | 2018-01-02 | 2024-11-21 |