CVE Catalog

CVE-2026-25557

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile - higher than 9% of all known CVEs

Summary

Evoluted PHP Directory Listing Script version 4.0.5 contains a reflected XSS vulnerability in index.php where the dir parameter value is reflected without HTML encoding in the title element and in anchor href attributes in the breadcrumb navigation.

Risk Assessment

Attackers can inject arbitrary JavaScript via crafted dir parameter values, potentially executing malicious scripts in a victim's browser.

Recommendation

It is recommended to implement proper HTML encoding for the dir parameter value and to review and update the script to the latest version to minimize the risk of XSS attacks.

Original NVD description (English source)

Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS