CVE-2026-30695
Received Received - Intake
Cross-Site Scripting in Zucchetti Axess Web Configuration Interface

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: MITRE

Description
A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30695
EUVD
EUVD-2026-12870
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
zucchetti axess *
zucchetti xa4 h06_build_5522
zucchetti x3 x02_build_4163
zucchetti xio h06_build_5522
zucchetti idoor_plus h06_build_5522
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30695 is a Cross-Site Scripting (XSS) vulnerability found in the web-based configuration interface of Zucchetti Axess access control devices, such as XA4, X3/X3BIO, X4, X7, XIO, i-door, and i-door+. The issue arises because the device does not properly sanitize user input in the dirBrowse parameter of the /file_manager.cgi endpoint.

An attacker who is authenticated can exploit this vulnerability by injecting malicious JavaScript code through the dirBrowse parameter. This code then executes in the context of an administrative user, potentially allowing the attacker to hijack sessions, make unauthorized configuration changes, or access sensitive information.

Impact Analysis

The vulnerability can have serious impacts including session hijacking, where an attacker takes over an administrative session; privilege escalation, allowing the attacker to gain higher access rights; and credential theft, exposing sensitive login information.

These impacts can lead to unauthorized changes in the device configuration and disclosure of sensitive data, potentially compromising the security and operation of the access control system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /file_manager.cgi endpoint of the Zucchetti Axess access control devices for improper sanitization of the dirBrowse parameter.'}, {'type': 'paragraph', 'content': 'A common method is to send a crafted GET request injecting a script tag into the dirBrowse parameter and observing if the script executes, indicating a Cross-Site Scripting (XSS) vulnerability.'}, {'type': 'paragraph', 'content': 'For example, you can use the following curl command to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -k -u <username>:<password> "http://<device-ip>/file_manager.cgi?dirBrowse=<script>alert(1)</script>"'}, {'type': 'paragraph', 'content': 'If the response contains the injected script without proper encoding or sanitization, the device is vulnerable.'}] [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the web-based configuration interface to trusted networks and users only.

Ensure that only authenticated and authorized users can access the /file_manager.cgi endpoint.

Monitor and filter input to the dirBrowse parameter to prevent injection of malicious scripts.

If available, apply any vendor-provided patches or firmware updates that address this vulnerability.

Additionally, consider implementing web application firewalls (WAF) rules to detect and block XSS attack patterns targeting this endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart