CVE-2026-25557
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
Evoluted PHP Directory Listing Script version 4.0.5 contains a reflected XSS vulnerability in index.php where the dir parameter value is reflected without HTML encoding in the title element and in anchor href attributes in the breadcrumb navigation.
Risk Assessment
Attackers can inject arbitrary JavaScript via crafted dir parameter values, potentially executing malicious scripts in a victim's browser.
Recommendation
It is recommended to implement proper HTML encoding for the dir parameter value and to review and update the script to the latest version to minimize the risk of XSS attacks.
Original NVD description (English source)
Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser.

