Approved changes feed: RSS · Atom

cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorElement Hq (3b16b3ba-f167-5a48-b62a-dc4536b16c63)
ProductSynapse (e014d2ef-7c65-5736-b2d6-ae5e141b19a7)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-45078 vulnerable 2026-06-08 08:05:11.448881 Synapse CPU starvation (Denial of Service)
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
Published: 2026-05-28T15:52:04.765Z
Updated: 2026-05-29T15:31:44.793Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-45076 vulnerable 2026-06-08 08:05:11.448569 Synapse pagination denial of service
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.
Published: 2026-05-28T15:50:25.842Z
Updated: 2026-06-02T14:51:34.553Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-61672 vulnerable 2026-06-08 07:37:27.912499 Synapse: Invalid device keys degrade federation functionality
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
Published: 2025-10-08T14:55:06.378Z
Updated: 2025-10-15T16:11:07.284Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-30355 vulnerable 2026-06-08 07:16:59.913008 Synapse vulnerable to federation denial of service via malformed events
HIGH (7.1)
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
Published: 2025-03-27T00:59:27.996Z
Updated: 2025-03-27T13:47:50.179Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-53867 vulnerable 2026-06-08 06:54:15.653707 Synapse Matrix has a partial room state leak via Sliding Sync
MEDIUM (4.3)
Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
Published: 2024-12-03T16:52:01.596Z
Updated: 2024-12-03T19:07:19.919Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-53863 vulnerable 2026-06-08 06:54:15.646673 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-52815 vulnerable 2026-06-08 06:52:16.273722 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-52805 vulnerable 2026-06-08 06:52:16.263635 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-37303 vulnerable 2026-06-08 06:39:47.085865 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-37302 vulnerable 2026-06-08 06:39:47.084400 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-31208 vulnerable 2026-06-08 06:35:31.098186 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.