CVE-2026-30695
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices (models XA4, X3/X3BIO, X4, X7, XIO / i-door / i-door+). The issue is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.
Risk Assessment
An attacker can inject malicious JavaScript code that executes in the administrator's browser, potentially leading to session theft, account takeover, or device configuration modification.
Recommendation
Immediately update the firmware of Zucchetti Axess devices to the latest version provided by the vendor. Until the update is applied, restrict access to the configuration interface to trusted IP addresses only.
Original NVD description (English source)
A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.

