CVE-2026-30695 - Vulnerability Analysis
MediumCVSS: 6.1Last Updated: March 19, 2026
Zucchetti Axess - Stored XSS
Published: March 18, 2026Updated: March 19, 2026PoC AvailableRemote Exploitable
Overview
Zucchetti Axess access control devices contain a stored XSS caused by improper sanitization of user input in the dirBrowse parameter of /file_manager.cgi, letting remote attackers execute scripts, exploit requires crafted request.
Severity & Score
Severity: Medium
CVSS Score: 6.1
Impact
Remote attackers can execute arbitrary scripts in users' browsers, potentially leading to session hijacking or unauthorized actions.
Mitigation
Update to the latest version with the vulnerability fixed.
Related Resources
Details
- CVE ID
- CVE-2026-30695
- Severity
- Medium
- CVSS Score
- 6.1
- Type
- stored_xss
- Status
- unconfirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N