Description
A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.
Published: 2026-03-18
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting
Action: Check for Patch
AI Analysis

Impact

A reflected Cross‑Site Scripting vulnerability exists in the web‑based configuration interface of Zucchetti Axess access control devices. The flaw is caused by inadequate sanitization of the dirBrowse parameter in the /file_manager.cgi endpoint, allowing an attacker to inject arbitrary script code that executes in the view of an authenticated administrator. This CWE‑79 weakness could lead to session hijacking, credential theft, or unauthorized configuration changes.

Affected Systems

The issue affects multiple Zucchetti Axess models, including XA4, X3/X3BIO, X4, X7, and the XIO / i‑door / i‑door+ series. No specific firmware or version numbers are provided, so any device within these product lines should be considered potentially vulnerable until verified.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity; the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the web interface, accessed remotely by an authenticated administrator, though this is inferred rather than explicitly stated. Successful exploitation could compromise configuration integrity and provide a foothold for further network attacks.

Generated by OpenCVE AI on March 19, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify and apply any available Zucchetti patch for the affected Axess devices
  • If a patch is not available, restrict web‑interface access to trusted internal networks or VPN‑only connections
  • Disable the HTTP/HTTPS services on the device when they are not required
  • Deploy a web application firewall or implement custom rules to block malicious script inputs targeting the dirBrowse parameter
  • Monitor device logs for anomalous scripting activity or unauthorized configuration changes

Generated by OpenCVE AI on March 19, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Zucchetti Axess Web Interface XSS via dirBrowse Parameter

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Zucchetti
Zucchetti axess
Vendors & Products Zucchetti
Zucchetti axess

Wed, 18 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.
References

Subscriptions

Zucchetti Axess
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-19T14:14:34.931Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30695

cve-icon Vulnrichment

Updated: 2026-03-19T14:14:27.610Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T17:16:06.817

Modified: 2026-04-27T19:18:46.690

Link: CVE-2026-30695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:02Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')