CVE-2026-30695

Vulnerability

Overview

A cross-site scripting (XSS) vulnerability has been identified in the web-based configuration interface of multiple Zucchetti Axess access control devices, including the XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+ models [1]. The flaw arises from improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint [1]. This allows an attacker to inject arbitrary HTML and JavaScript code into the administrative interface.

Exploitation

Details

The vulnerability can be triggered by sending a crafted HTTP GET request to the vulnerable endpoint, such as /file_manager.cgi?dirBrowse=PAYLOAD where PAYLOAD contains a malicious script [1]. An unauthenticated attacker can exploit this remotely over the network with low complexity, though user interaction is required (e.g., an administrator viewing the affected page) [1]. The attacker does not need prior authentication to inject the payload, but the script executes in the security context of the authenticated administrative user [1].

Impact

Successful exploitation could lead to session hijacking, unauthorized configuration changes, credential theft, and privilege escalation within the device management interface [1]. The stored nature of the XSS means the injected script persists and may affect multiple administrative sessions [1].

Mitigation

Zucchetti has not yet released a public patch for all affected firmware versions. Known affected versions include XIO h06 build 5522, i-door+ h06 build 5522, XA4 h06 build 5522, and X3 h02 build 4163 [1]. Administrators are advised to restrict network access to the management interface, apply strict input validation at the network perimeter, and monitor for any vendor updates or workarounds [1].