CVE-2026-30918 – This reflected XSS vulnerability in facileManag... (How to Fix)

Q: What is the severity of CVE-2026-30918?

CVE-2026-30918 has a CVSS score of 7.6 (HIGH). This reflected XSS vulnerability in facileManager's fmDNS module allows attackers to inject malicious JavaScript via the log_search_query parameter in URLs. When exploited, it can lead to session hijacking, credential theft, or unauthorized actions in the admin interface. All users running facileManager versions before 6.0.4 with the fmDNS module enabled are affected.

📋 TL;DR

This reflected XSS vulnerability in facileManager's fmDNS module allows attackers to inject malicious JavaScript via the log_search_query parameter in URLs. When exploited, it can lead to session hijacking, credential theft, or unauthorized actions in the admin interface. All users running facileManager versions before 6.0.4 with the fmDNS module enabled are affected.

💻 Affected Systems

Products:

facileManager
facileManager fmDNS module

Versions: All versions prior to 6.0.4

Operating Systems: All platforms running facileManager

Default Config Vulnerable: ⚠️ Yes

Notes: Requires fmDNS module to be enabled and accessible. The vulnerability is in the web interface component.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the facileManager instance leading to administrative account takeover, data exfiltration, and potential lateral movement to connected systems.

🟠

Likely Case

Session hijacking of authenticated users, credential theft via phishing, or unauthorized modifications to DNS configurations.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into clicking malicious links. The vulnerability is well-documented in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.4

Vendor Advisory: https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x

Restart Required: Yes

Instructions:

1. Backup your current facileManager installation and database. 2. Download version 6.0.4 from the official repository. 3. Replace existing files with the updated version. 4. Run any database migration scripts if provided. 5. Restart the web server service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the log_search_query parameter

# Add input validation in the affected PHP file
# Example: $clean_query = htmlspecialchars($_GET['log_search_query'], ENT_QUOTES, 'UTF-8');

Web Application Firewall (WAF) Rule

linux

Deploy WAF rules to block XSS payloads in the log_search_query parameter

# Example ModSecurity rule:
# SecRule ARGS:log_search_query "@rx <script" "id:1001,phase:2,deny,status:403,msg:'XSS Attempt'"
# Example naxsi rule:
# MainRule "str:<script" "msg:XSS script tag" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1001;

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
Disable or restrict access to the fmDNS module interface if not critically needed.

🔍 How to Verify

Check if Vulnerable:

Check if your facileManager version is below 6.0.4 and if the fmDNS module is enabled. Test by attempting to inject a harmless payload like <script>alert('test')</script> in the log_search_query parameter.

Check Version:

grep -r "define('FM_VERSION'" /path/to/facileManager/ || cat /path/to/facileManager/includes/init.inc.php | grep FM_VERSION

Verify Fix Applied:

After upgrading to 6.0.4, verify that XSS payloads in the log_search_query parameter are properly sanitized and do not execute. Check that the version number shows 6.0.4 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual log_search_query parameter values containing script tags or JavaScript code
Multiple failed login attempts following suspicious URL accesses
Admin session tokens being used from unexpected IP addresses

Network Indicators:

HTTP requests with encoded script tags in query parameters
Traffic patterns showing users being redirected to malicious sites after accessing facileManager

SIEM Query:

source="facileManager_access.log" AND (log_search_query="*<script*" OR log_search_query="*javascript:*" OR log_search_query="*onerror=*" OR log_search_query="*onload=*")

📊 Metadata

CVE ID: CVE-2026-30918

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-79

Published: March 10, 2026

Last Updated: March 11, 2026

🔗 References

https://github.com/facileManager/facileManager/security/advisories/GHSA-284f-mff7-744x

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-30918, you might also want to check these: