Skip to main content

Facilemanager CVE-2026-30918

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-10 security-advisories@github.com
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 10, 2026 - 17:40 nvd
HIGH 7.6

DescriptionGitHub Advisory

facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4.

AnalysisAI

FacileManager versions prior to 6.0.4 contain a reflected cross-site scripting vulnerability in the fmDNS module's log_search_query parameter that allows authenticated attackers to inject malicious JavaScript through crafted URLs. An attacker with login credentials can exploit this to execute arbitrary scripts in users' browsers, potentially compromising sensitive administrative data or session tokens. No patch is currently available for affected deployments.

Technical ContextAI

This vulnerability (CWE-79: Cross-site Scripting (XSS)) exists in the fmDNS component. facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixe

RemediationAI

Fixed in version 6.0.4.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Share

CVE-2026-30918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy