CVE-2026-25557
MEDIUMEvoluted PHP Directory Listing Script 4.0.5 Reflected XSS via dir parameter
Title source: cnaDescription
Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser.
References (3)
Core 3
Core References
Exploit technical-description
exploit
https://gist.github.com/cyberinforepo/d62cf53ef42ff703ca67792d49bf6780
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/evoluted-php-directory-listing-script-reflected-xss-via-dir-parameter
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
8.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
Evoluted/PHP Directory Listing Script
< 4.0.5
Published
Jun 09, 2026
Tracked Since
Jun 10, 2026