CVE-2025-34512

6.1 MEDIUM

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that all...

Published: 2025-10-16 · Last updated: 2025-10-23

Severity and scoring

CVSS: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Affected products

Vendor	Product
ilevia	eve_x1_server_firmware

Description

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-34512
[Other]https://www.ilevia.com/
[Other]https://www.vulncheck.com/advisories/ilevia-eve-x1-server-reflected-xss
[Exploit reference]https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5961.php

Related CVEs

Same vendor

CVE-2025-34186 — Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism (9.8 CRITICAL)

Same CWE

CVE-2026-12176 — A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 (4.3 MEDIUM)
CVE-2026-5513 — The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '... (7.2 HIGH)
CVE-2026-9629 — The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including... (6.4 MEDIUM)
CVE-2026-3297 — The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anc... (6.4 MEDIUM)
CVE-2026-9134 — The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in ve... (6.4 MEDIUM)