Description
Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Evoluted PHP Directory Listing Script allows an attacker to inject arbitrary JavaScript by providing a crafted value for the dir parameter. The unconstrained value is reflected unencoded within the HTML title element and within anchor href attributes in the breadcrumb navigation. When a victim’s browser renders the page, the injected script executes in the victim’s context, enabling session hijacking, credential theft, or delivery of malicious payloads.

Affected Systems

The vulnerability affects installations of the Evoluted PHP Directory Listing Script through version 4.0.5. Any instance deployed without a later patched release is susceptible.

Risk and Exploitability

With a CVSS score of 5.1 the risk is moderate under the assumption that the affected web application is exposed to unauthenticated users who can manipulate the dir parameter. The absence of an existing EPSS score does not diminish the attack vector, which is a typical web‑browser based reflected XSS that requires only a crafted URL. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at this time.

Generated by OpenCVE AI on June 9, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Evoluted PHP Directory Listing Script to the latest release (4.0.6 or newer) which properly sanitizes the dir parameter.
  • If an upgrade is not immediately possible, modify index.php to HTML‑encode or otherwise validate the dir parameter before inserting it into the title tag or href attributes.
  • Implement a Web Application Firewall rule or browser‑side defense to detect and block suspicious dir parameter values by filtering out script tags or event handler attributes.

Generated by OpenCVE AI on June 9, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser.
Title Evoluted PHP Directory Listing Script 4.0.5 Reflected XSS via dir parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T20:49:31.853Z

Reserved: 2026-02-02T20:12:33.396Z

Link: CVE-2026-25557

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:04.173

Modified: 2026-06-09T21:17:04.173

Link: CVE-2026-25557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:45:05Z

Weaknesses