CVE-2026-30695
MEDIUMZucchetti Axess XA4/X3/X3BIO/X4/X7/XIO/i-door/i-door+ - XSS
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2026-30695. PoCs published by iremnurylmz.
AI-analyzed exploit summary The repository provides a functional proof-of-concept for an XSS vulnerability in Zucchetti Axess devices, exploiting improper input sanitization in the `dirBrowse` parameter of the `/file_manager.cgi` endpoint. The PoC demonstrates arbitrary JavaScript execution in an administrative context.
Description
A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.
Exploits (1)
The repository provides a functional proof-of-concept for an XSS vulnerability in Zucchetti Axess devices, exploiting improper input sanitization in the `dirBrowse` parameter of the `/file_manager.cgi` endpoint. The PoC demonstrates arbitrary JavaScript execution in an administrative context.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N