{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30695", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-19T14:14:34.931Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-18T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-18T16:52:39.295Z"}, "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://zucchetti.com"}, {"url": "http://firmware.com"}, {"url": "https://github.com/iremnurylmz/CVE-2026-30695"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:13:08.440681Z", "id": "CVE-2026-30695", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:14:34.931Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30695", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T14:13:08.440681Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:14:27.610Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://zucchetti.com"}, {"url": "http://firmware.com"}, {"url": "https://github.com/iremnurylmz/CVE-2026-30695"}], "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-18T16:52:39.295Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30695", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:14:34.931Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-18T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) en la interfaz de configuraci\u00f3n basada en web de los dispositivos de control de acceso Zucchetti Axess, incluyendo XA4, X3/X3BIO, X4, X7, y XIO / i-door / i-door+. La vulnerabilidad es causada por la sanitizaci\u00f3n inadecuada de la entrada proporcionada por el usuario en el par\u00e1metro dirBrowse del endpoint /file_manager.cgi."}], "id": "CVE-2026-30695", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-18T17:16:06.817", "references": [{"source": "cve@mitre.org", "url": "http://firmware.com"}, {"source": "cve@mitre.org", "url": "http://zucchetti.com"}, {"source": "cve@mitre.org", "url": "https://github.com/iremnurylmz/CVE-2026-30695"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "axess", "vendor": "zucchetti"}], "analysis": {"en": {"generated_at": "2026-03-19T17:23:53.895776+00:00", "value": {"mitigation_remediation": ["Verify and apply any available Zucchetti patch for the affected Axess devices", "If a patch is not available, restrict web\u2011interface access to trusted internal networks or VPN\u2011only connections", "Disable the HTTP/HTTPS services on the device when they are not required", "Deploy a web application firewall or implement custom rules to block malicious script inputs targeting the dirBrowse parameter", "Monitor device logs for anomalous scripting activity or unauthorized configuration changes"], "summary": {"action": "Check for Patch", "impact": "Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue affects multiple Zucchetti Axess models, including XA4, X3/X3BIO, X4, X7, and the XIO / i\u2011door / i\u2011door+ series. No specific firmware or version numbers are provided, so any device within these product lines should be considered potentially vulnerable until verified.", "description_and_impact": "A reflected Cross\u2011Site Scripting vulnerability exists in the web\u2011based configuration interface of Zucchetti Axess access control devices. The flaw is caused by inadequate sanitization of the dirBrowse parameter in the /file_manager.cgi endpoint, allowing an attacker to inject arbitrary script code that executes in the view of an authenticated administrator. This CWE\u201179 weakness could lead to session hijacking, credential theft, or unauthorized configuration changes.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity; the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the web interface, accessed remotely by an authenticated administrator, though this is inferred rather than explicitly stated. Successful exploitation could compromise configuration integrity and provide a foothold for further network attacks."}}}}, "created": "2026-03-19T08:56:57.841812+00:00", "title": "Zucchetti Axess Web Interface XSS via dirBrowse Parameter", "updated": "2026-03-24T10:54:02.714459+00:00", "vendors": ["zucchetti", "zucchetti$PRODUCT$axess"]}