{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30918", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.884Z", "datePublished": "2026-03-09T22:53:25.764Z", "dateUpdated": "2026-03-10T14:20:28.739Z"}, "containers": {"cna": {"title": "facileManager Affected by Reflected Cross-Site Scripting (XSS)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x"}], "affected": [{"vendor": "facileManager", "product": "facileManager", "versions": [{"version": "< 6.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:53:25.764Z"}, "descriptions": [{"lang": "en", "value": "facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4."}], "source": {"advisory": "GHSA-284f-mff7-744x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:20:05.587520Z", "id": "CVE-2026-30918", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:20:28.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30918", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T14:20:05.587520Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:20:22.508Z"}}], "cna": {"title": "facileManager Affected by Reflected Cross-Site Scripting (XSS)", "source": {"advisory": "GHSA-284f-mff7-744x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "facileManager", "product": "facileManager", "versions": [{"status": "affected", "version": "< 6.0.4"}]}], "references": [{"url": "https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x", "name": "https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:53:25.764Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30918", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:20:28.739Z", "dateReserved": "2026-03-07T16:40:05.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T22:53:25.764Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facilemanager:facilemanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACF32B72-7187-4B8C-B452-67ACBA089B76", "versionEndExcluding": "6.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4."}, {"lang": "es", "value": "facileManager es una suite modular de aplicaciones web dise\u00f1ada pensando en el administrador de sistemas. Antes de la versi\u00f3n 6.0.4, se produce un XSS reflejado cuando una aplicaci\u00f3n recibe datos de una fuente no confiable y los utiliza en sus respuestas HTTP de una manera que podr\u00eda generar vulnerabilidades. Es posible inyectar c\u00f3digo JavaScript malicioso en una URL a\u00f1adiendo un script en un par\u00e1metro. Esta vulnerabilidad fue encontrada en el m\u00f3dulo fmDNS. El par\u00e1metro que es vulnerable a un ataque XSS es log_search_query. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 6.0.4."}], "id": "CVE-2026-30918", "lastModified": "2026-03-13T14:55:46.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T17:40:15.667", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "facileManager", "source": "cna", "vendor": "facileManager"}, "product": "facilemanager", "vendor": "facilemanager"}], "analysis": {"en": {"generated_at": "2026-04-16T10:01:37.548558+00:00", "value": {"mitigation_remediation": ["Upgrade facileManager to version 6.0.4 or newer, which removes the reflected XSS flaw.", "If an upgrade is not immediately feasible, implement input sanitization for the log_search_query parameter, ensuring any user\u2011supplied data is properly escaped before being reflected in the response.", "Restrict access to the fmDNS module to trusted administrators and monitor for unusual query activity to detect potential exploitation attempts."], "summary": {"action": "Install patch", "impact": "Reflected Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "facileManager, a modular suite of web applications used by system administrators, is affected in all releases prior to version 6.0.4. The flaw resides in the fmDNS module and specifically in the log_search_query parameter. Users running any of the vulnerable releases should be aware that these systems are susceptible to the reflected XSS attack.", "description_and_impact": "The vulnerability is a reflected cross\u2011site scripting flaw (CWE\u201179) where an attacker can inject arbitrary JavaScript into a URL parameter. When that parameter is reflected in the HTTP response, the malicious code executes in the victim\u2019s browser, enabling session hijacking, credential theft, or other malicious client\u2011side actions. This type of attack does not directly compromise the server but can severely undermine application security and user trust.", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high severity risk, while the EPSS score of less than 1% shows that the likelihood of this vulnerability being actively exploited today is low. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely leveraged in known exploits. The attack vector is inferred to be remote via an attacker crafted URL that includes malicious JavaScript in the log_search_query parameter; a victim who follows or is tricked into clicking the link would have the script executed under their browser context."}}}}, "created": "2026-03-10T14:06:26.234545+00:00", "updated": "2026-04-16T10:15:26.100952+00:00", "vendors": ["facilemanager", "facilemanager$PRODUCT$facilemanager"]}