CVE-2026-30918

facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:facilemanager:facilemanager:*:*:*:*:*:*:*:*

History

13 Mar 2026, 14:55

Type	Values Removed	Values Added
CPE		cpe:2.3:a:facilemanager:facilemanager::::::::
References	~~() https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x -~~	() https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x - Exploit, Mitigation, Vendor Advisory
First Time		Facilemanager Facilemanager facilemanager
Summary		(es) facileManager es una suite modular de aplicaciones web diseñada pensando en el administrador de sistemas. Antes de la versión 6.0.4, se produce un XSS reflejado cuando una aplicación recibe datos de una fuente no confiable y los utiliza en sus respuestas HTTP de una manera que podría generar vulnerabilidades. Es posible inyectar código JavaScript malicioso en una URL añadiendo un script en un parámetro. Esta vulnerabilidad fue encontrada en el módulo fmDNS. El parámetro que es vulnerable a un ataque XSS es log_search_query. Esta vulnerabilidad está corregida en la versión 6.0.4.

10 Mar 2026, 17:40

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 17:40

Updated : 2026-03-13 14:55

NVD link : CVE-2026-30918

Mitre link : CVE-2026-30918

CVE.ORG link : CVE-2026-30918

JSON object : View

Products Affected

facilemanager

facilemanager

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.6 /10