CVE-2026-25557

Vulnerability

Evoluted PHP Directory Listing Script through version 4.0.5 contains a reflected cross-site scripting vulnerability in index.php. The dir parameter's value is reflected without proper HTML encoding within the HTML ` element and within anchor href` attributes in the breadcrumb navigation. This allows for arbitrary JavaScript injection [1, 3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL with a specially designed dir parameter. This crafted parameter can break out of the title context or inject event handlers into breadcrumb anchor attributes. The vulnerability requires a victim to interact with the crafted link, such as clicking on it, to trigger the malicious script execution in their browser [1, 3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious websites, depending on the injected script. The impact is limited to the scope of the victim's browser session within the context of the vulnerable application [3].

Mitigation

Not yet disclosed in the available references. The affected software is version 4.0.5 and earlier. Reference [1] provides a download link for version 4.0.5 from an archived page.