CVE-2026-30918 - Vulnerability Details

- facileManager Affected by Reflected Cross-Site Scripting (XSS)

Description

facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4.

Published: 2026-03-09

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw (CWE‑79) where an attacker can inject arbitrary JavaScript into a URL parameter. When that parameter is reflected in the HTTP response, the malicious code executes in the victim’s browser, enabling session hijacking, credential theft, or other malicious client‑side actions. This type of attack does not directly compromise the server but can severely undermine application security and user trust.

Affected Systems

facileManager, a modular suite of web applications used by system administrators, is affected in all releases prior to version 6.0.4. The flaw resides in the fmDNS module and specifically in the log_search_query parameter. Users running any of the vulnerable releases should be aware that these systems are susceptible to the reflected XSS attack.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity risk, while the EPSS score of less than 1% shows that the likelihood of this vulnerability being actively exploited today is low. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely leveraged in known exploits. The attack vector is inferred to be remote via an attacker crafted URL that includes malicious JavaScript in the log_search_query parameter; a victim who follows or is tricked into clicking the link would have the script executed under their browser context.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

facileManager

affected

Version	Status	Constraints
`< 6.0.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:facilemanager:facilemanager:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Facilemanager

100%

Version	Status	Scheme	Platform
`[0,6.0.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade facileManager to version 6.0.4 or newer, which removes the reflected XSS flaw.
If an upgrade is not immediately feasible, implement input sanitization for the log_search_query parameter, ensuring any user‑supplied data is properly escaped before being reflected in the response.
Restrict access to the fmDNS module to trusted administrators and monitor for unusual query activity to detect potential exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x

History

Fri, 13 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:facilemanager:facilemanager::::::::

Tue, 10 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Facilemanager Facilemanager facilemanager
Vendors & Products		Facilemanager Facilemanager facilemanager

Mon, 09 Mar 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4.
Title		facileManager Affected by Reflected Cross-Site Scripting (XSS)
Weaknesses		CWE-79
References		https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L'}`

Subscriptions

Facilemanager Facilemanager

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-09T22:53:25.764Z

Updated: 2026-03-10T14:20:28.739Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30918

Vulnrichment

Updated: 2026-03-10T14:20:22.508Z

NVD

Status : Analyzed

Published: 2026-03-10T17:40:15.667

Modified: 2026-03-13T14:55:46.947

Link: CVE-2026-30918

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object