EIP-2026-112533

PRE-CVE

Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112533. PoCs published by GulfTech Security.

AI-analyzed exploit summary This document details multiple vulnerabilities in Synology PhotoStation, including SQL injection and file disclosure, which can be chained to achieve remote preauth root access. It provides technical analysis, exploitation steps, and proof-of-concept examples.

Description

Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities

Exploits (1)

exploitdb WRITEUP

by GulfTech Security · textwebappsphp

https://www.exploit-db.com/exploits/43844

View Code ZIP pw:eip

This document details multiple vulnerabilities in Synology PhotoStation, including SQL injection and file disclosure, which can be chained to achieve remote preauth root access. It provides technical analysis, exploitation steps, and proof-of-concept examples.

Classification

Writeup 100%

Attack Type

Sqli | Info Leak | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Synology PhotoStation <= 6.7.2-3429

No auth needed

Prerequisites: Network access to the target Synology NAS device · PhotoStation application installed and running

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026