CVE-2025-34512
MEDIUMIlevia EVE X1 Server Firmware <= 4.7.18.0.eden - Unauthenticated Reflected Cross-Site Scripting in index.php
Title source: llmDescription
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary script in the victim's browser. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
References (3)
Core 3
Core References
Product product
https://www.ilevia.com/
Exploit, Third Party Advisory technical-description
exploit
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5961.php
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ilevia-eve-x1-server-reflected-xss
Scores
CVSS v3
6.1
EPSS
0.0037
EPSS Percentile
29.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
ilevia/eve_x1_server_firmware
< 4.7.18.0
Ilevia Srl./EVE X1 Server
< 4.7.18.0.eden
Published
Oct 16, 2025
Tracked Since
Feb 18, 2026