Reflected XSS in Ilevia EVE X1 Server firmware (all versions through 4.7.18.0.eden) exposes unauthenticated network attackers to client-side code execution by injecting malicious payloads via the index.php endpoint on port 8080. A publicly available proof-of-concept exploit exists (ZSL-2025-5961), raising the practical risk above the 5.1 CVSS score alone would suggest. Critically, Ilevia has formally declined to issue a patch, leaving all deployed devices permanently unmitigated at the firmware level - the only vendor-sanctioned control is network segmentation.
PHP object injection in Vfront 0.99.52's mexcel.php endpoint exposes an unauthenticated POST parameter directly to unserialize() without class restrictions, enabling remote attackers to instantiate arbitrary PHP objects. Depending on exploitable gadget chains present in the Vfront codebase or its PHP dependencies, this can escalate to remote code execution, SQL injection, path traversal, or denial of service. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.40% (32nd percentile), consistent with the absence of a CISA KEV listing.
Hardcoded credentials embedded in ATLAS-EPIC (GitHub project gsiegel14/ATLAS-EPIC, commit f29312c, 2025-05-26) expose authentication secrets directly in publicly accessible source code, enabling authentication bypass. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms that any network-reachable instance can be accessed by an unauthenticated attacker who reads the repository and extracts the embedded credentials. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.