CVE Catalog

CVE-2026-30695

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile - higher than 9% of all known CVEs

Summary

A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices (models XA4, X3/X3BIO, X4, X7, XIO / i-door / i-door+). The issue is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.

Risk Assessment

An attacker can inject malicious JavaScript code that executes in the administrator's browser, potentially leading to session theft, account takeover, or device configuration modification.

Recommendation

Immediately update the firmware of Zucchetti Axess devices to the latest version provided by the vendor. Until the update is applied, restrict access to the configuration interface to trusted IP addresses only.

Original NVD description (English source)

A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS