CVE-2026-30918
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
2Tags
Description
facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious JavaScript code into a URL by adding a script in a parameter. This vulnerability was found in the fmDNS module. The parameter that is vulnerable to an XSS attack is log_search_query. This vulnerability is fixed in 6.0.4.
Analysis
FacileManager versions prior to 6.0.4 contain a reflected cross-site scripting vulnerability in the fmDNS module's log_search_query parameter that allows authenticated attackers to inject malicious JavaScript through crafted URLs. An attacker with login credentials can exploit this to execute arbitrary scripts in users' browsers, potentially compromising sensitive administrative data or session tokens. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all facileManager deployments and identify which versions are running, particularly fmDNS instances; notify affected teams of the vulnerability. Within 7 days: Implement WAF rules to block malicious URL parameters targeting facileManager; restrict administrative access to facileManager to internal networks only; conduct a security review of recent facileManager logs for signs of exploitation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today