Description
facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS (also known as persistent or second-order XSS) occurs when an application receives data from an untrusted source and includes that data in its subsequent HTTP responses in an unsafe manner. This vulnerability was found in the fmDNS module. This vulnerability is fixed in 6.0.4.
Published: 2026-03-09
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that allows an attacker to inject malicious script into HTTP responses shown to other authenticated users via the fmDNS module.
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored XSS flaw where untrusted input is reflected in HTTP responses without sanitization. An attacker could inject JavaScript that executes in the context of other users’ browsers, potentially enabling session hijacking, data theft, or defacement of the web interface. The weakness is a classic client‑side injection (CWE‑79).

Affected Systems

The susceptible component is the fmDNS module of the facileManager suite. All installations of facileManager prior to version 6.0.4 are affected; the issue is resolved in 6.0.4 and later releases.

Risk and Exploitability

With a CVSS score of 7.6 the vulnerability is classified as high severity. The EPSS score is below 1%, indicating low predicted exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker inserting a malicious payload into a field accepted by the fmDNS module, which is then persisted and later rendered in another user’s browser. No specific prerequisites beyond authenticated access to the module are stated, so the risk profile is medium‑to‑high if user accounts have privileged permissions.

Generated by OpenCVE AI on April 16, 2026 at 10:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade facileManager to version 6.0.4 or newer to eliminate the stored XSS flaw
  • Configure the application to perform strict input validation and output encoding for all user‑supplied data before rendering it in any page
  • Limit user privileges for modules that accept external input and monitor for anomalous cross‑site scripting attempts

Generated by OpenCVE AI on April 16, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:facilemanager:facilemanager:*:*:*:*:*:*:*:*

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Facilemanager
Facilemanager facilemanager
Vendors & Products Facilemanager
Facilemanager facilemanager

Mon, 09 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS (also known as persistent or second-order XSS) occurs when an application receives data from an untrusted source and includes that data in its subsequent HTTP responses in an unsafe manner. This vulnerability was found in the fmDNS module. This vulnerability is fixed in 6.0.4.
Title facileManager Affected by Stored Cross-Site Scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Facilemanager Facilemanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:17:35.239Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30919

cve-icon Vulnrichment

Updated: 2026-03-10T14:17:31.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T17:40:15.837

Modified: 2026-03-13T14:51:44.140

Link: CVE-2026-30919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses