CVE-2026-30695 is a Cross-Site Scripting (XSS) vulnerability identified in the web-based configuration interface of multiple Zucchetti Axess access control devices, including models XA4, X3/X3BIO, X4, X7, and XIO/i-door/i-door+. The root cause is improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint, which allows an attacker to inject malicious JavaScript code. This vulnerability is classified under CWE-79, indicating a failure to neutralize or encode output properly, leading to script injection. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The vulnerability allows an attacker to execute arbitrary scripts in the context of the victim's browser when they interact with a crafted link or page, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. No patches or known exploits are currently available, and the vulnerability was published on March 18, 2026. The affected devices are commonly used in physical access control systems, making this a significant risk for organizations relying on these devices for security management.

The primary impact of CVE-2026-30695 is on the confidentiality and integrity of the management interface of Zucchetti Axess access control devices. Successful exploitation can lead to the execution of malicious scripts in the context of an authenticated user’s session, potentially allowing attackers to steal session cookies, capture credentials, or perform unauthorized configuration changes. This could compromise physical security by enabling unauthorized access or manipulation of access control policies. Although availability is not directly affected, the breach of confidentiality and integrity can have cascading effects on organizational security posture. Organizations worldwide using these devices may face targeted attacks aiming to bypass physical security controls or gather intelligence on security configurations. The lack of authentication requirement lowers the barrier for exploitation, but user interaction is necessary, which may limit automated widespread exploitation. The absence of known exploits in the wild suggests this vulnerability is not yet actively exploited but could be targeted in the future, especially in high-value environments.

To mitigate CVE-2026-30695, organizations should immediately restrict access to the web-based management interface of affected Zucchetti Axess devices using network segmentation and access control lists to limit exposure to trusted administrators only. Deploying a web application firewall (WAF) with robust XSS detection and filtering capabilities can help block malicious payloads targeting the dirBrowse parameter. Administrators should educate users to avoid clicking on suspicious links or interacting with untrusted content related to the device management interface. Monitoring and logging access to the /file_manager.cgi endpoint can help detect potential exploitation attempts. Since no patches are currently available, organizations should engage with Zucchetti for updates and consider implementing compensating controls such as multi-factor authentication (MFA) on management interfaces if supported. Regular security assessments and penetration testing focused on web interface vulnerabilities can identify and remediate similar issues proactively. Finally, maintaining an incident response plan that includes web interface compromise scenarios will improve readiness against exploitation attempts.