An issue exists on Cayin SMP-PRO4 devices. They allow image_preview.html?filename= reflected XSS.
cayintech smp-pro4_firmware -