Skip to main content
CVE-2025-34512 MEDIUM POC This Month

Reflected XSS in Ilevia EVE X1 Server firmware (all versions through 4.7.18.0.eden) exposes unauthenticated network attackers to client-side code execution by injecting malicious payloads via the index.php endpoint on port 8080. A publicly available proof-of-concept exploit exists (ZSL-2025-5961), raising the practical risk above the 5.1 CVSS score alone would suggest. Critically, Ilevia has formally declined to issue a patch, leaving all deployed devices permanently unmitigated at the firmware level - the only vendor-sanctioned control is network segmentation.

PHP XSS RCE Eve X1 Server Firmware
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-60641 MEDIUM This Month

PHP object injection in Vfront 0.99.52's mexcel.php endpoint exposes an unauthenticated POST parameter directly to unserialize() without class restrictions, enabling remote attackers to instantiate arbitrary PHP objects. Depending on exploitable gadget chains present in the Vfront codebase or its PHP dependencies, this can escalate to remote code execution, SQL injection, path traversal, or denial of service. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.40% (32nd percentile), consistent with the absence of a CISA KEV listing.

Deserialization Path Traversal SQLi Denial Of Service RCE +1
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-60639 MEDIUM This Month

Hardcoded credentials embedded in ATLAS-EPIC (GitHub project gsiegel14/ATLAS-EPIC, commit f29312c, 2025-05-26) expose authentication secrets directly in publicly accessible source code, enabling authentication bypass. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms that any network-reachable instance can be accessed by an unauthenticated attacker who reads the repository and extracts the embedded credentials. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy