MEDIUM 5.4

CVE-2026-25557: Reflected XSS in Evoluted PHP Directory Listing Script 4.0.5

Evoluted PHP Directory Listing Script versions up to 4.0.5 contain a reflected cross-site scripting (XSS) vulnerability in the directory parameter handling. When a user visits a specially crafted malicious link, JavaScript code embedded in the directory path gets executed in their browser, potentially allowing attackers to steal session cookies, redirect users to phishing sites, or perform actions on their behalf. The vulnerability requires user interaction—victims must click a malicious link—but no special privileges are needed to exploit it.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in index.php where the 'dir' parameter value is reflected unsanitized into two separate locations: the HTML title element and href attributes within breadcrumb navigation anchors. By crafting payloads that break out of the title tag context or inject event handlers (such as onerror or onclick) into anchor elements, an attacker can execute arbitrary JavaScript in the victim's browser context. The application fails to HTML-encode user-supplied input before outputting it, violating fundamental XSS prevention practices. This is a classic reflected XSS flaw (CWE-79) where the malicious payload travels in the URL query string rather than being stored server-side.

Business impact

For organizations deploying Evoluted PHP Directory Listing Script, this vulnerability creates a social engineering vector. Attackers can distribute malicious links via email, chat, or forums that exploit end users when clicked. Compromised sessions could allow unauthorized access to files served by the directory listing interface, data exfiltration, or lateral movement if the script runs in a privileged context. The low barrier to exploitation and reliance on user trust in links makes this a credible threat in targeted phishing campaigns or supply-chain scenarios where attackers control link distribution channels.

Affected systems

Evoluted PHP Directory Listing Script version 4.0.5 and all earlier versions are vulnerable. Any installation accessible over the network using affected versions is at risk. The impact depends on deployment context—directory listing endpoints publicly exposed on the internet face higher risk than those on internal networks with restricted access. Organizations using this script for file sharing, software distribution, or documentation hosting should prioritize inventory and assessment.

Exploitability

This is a reflected XSS vulnerability with low complexity and no authentication required, but it does require user interaction (clicking a malicious link). An attacker crafts a URL like: http://target.com/index.php?dir=<script>alert('xss')</script> or exploits the anchor href context to inject event handlers. The attack succeeds in any browser without special conditions—no CSRF tokens, browser quirks, or advanced techniques needed. While not as dangerous as stored XSS or pre-authentication RCE, the ease of crafting payloads and delivering them via social engineering makes practical exploitation straightforward.

Remediation

Upgrade Evoluted PHP Directory Listing Script to a patched version that implements proper HTML encoding of user input. When upgrading, test the directory listing functionality to ensure breadcrumb navigation and title elements render correctly. Additionally, implement Content Security Policy (CSP) headers as a defense-in-depth measure to restrict script execution. For environments where patching is delayed, disable public access to the directory listing endpoint or restrict it to trusted IP ranges until a fix is applied.

Patch guidance

Check the vendor's release notes for versions after 4.0.5 that address input sanitization in the dir parameter handling. Apply the patch through your standard update procedures, backing up your current configuration first. Verify that breadcrumb navigation and directory titles display correctly after patching, and test with special characters and path traversal sequences to ensure the fix doesn't introduce new issues or break legitimate functionality. If the vendor provides a specific commit hash or advisory, reference those to confirm you have the correct build.

Detection guidance

Monitor web server logs for requests to index.php containing suspicious characters in the 'dir' parameter—look for script tags, event handlers (onerror, onclick, onload), JavaScript protocol handlers (javascript:), or HTML metacharacters (< > " '). Implement Web Application Firewall (WAF) rules that block common XSS patterns in query parameters. Track HTTP requests where the dir parameter value appears in the response HTML, particularly in title or href contexts, as an additional validation step. Correlate with browser-side detection if users report unexpected script execution or session hijacking attempts.

Why prioritize this

Although rated MEDIUM severity, this vulnerability merits prompt attention because: (1) exploitation requires minimal technical skill, (2) no authentication or special conditions are needed, (3) it targets end users directly through social engineering rather than requiring infrastructure compromise, and (4) directory listing scripts are often deployed in trusted contexts (internal file shares, documentation sites) where users may be less skeptical of links. Organizations with public-facing instances or those relying on this script for collaborative file access should prioritize patching within 30 days.

Risk score, explained

The CVSS 3.1 score of 5.4 (MEDIUM) reflects a network-accessible vulnerability with low attack complexity and no privilege requirements, but mitigated by the requirement for user interaction and limited scope (confidentiality and integrity impact, no availability impact). The score appropriately captures that while the attack is easy to perform, its impact is bounded to individual sessions and data accessible through the web interface rather than system-wide compromise. Organizations should not interpret MEDIUM as 'low priority'—XSS vulnerabilities are frequently exploited in real-world campaigns and form the basis for more sophisticated attacks.

Frequently asked questions

Can this vulnerability be exploited without user interaction?

No. The vulnerability is reflected XSS, meaning the malicious payload must be delivered via a crafted URL that the user clicks. Attackers cannot force exploitation through passive browsing or automatic requests; they must trick users into clicking a malicious link, typically via phishing emails, instant messages, or forum posts.

Does this affect stored/persistent data or only the directory listing display?

This is a reflected XSS flaw affecting only the display of the directory listing interface. The malicious payload is not stored on the server; it executes only in the browser of users who click the crafted link. However, attackers could use this to steal session cookies or credentials that might persist across multiple pages or sessions.

What if we restrict directory listing to internal networks only?

Restricting access to internal networks significantly reduces exploitability but does not eliminate the risk. Insider threats, compromised internal credentials, or attackers on the same network can still craft malicious links. Network isolation is a valuable defense-in-depth layer but should not replace patching as the primary remediation.

Is there a temporary workaround if we cannot patch immediately?

Yes. Implement a Web Application Firewall rule that strips or blocks special characters and script-like patterns in the dir parameter, or place the directory listing endpoint behind an authentication gateway and require users to re-authenticate with multi-factor authentication. However, these are temporary measures and patching should remain your primary goal.

This analysis is provided for informational and defensive purposes only. The information reflects the current state of public vulnerability disclosures and may be updated as new details emerge. Readers should verify all patch versions, vendor advisories, and technical details directly with official vendor sources before applying fixes. SEC.co makes no warranty regarding the completeness or accuracy of this guidance and recommends independent testing in non-production environments before deploying patches to production systems. Organizations should adapt detection and remediation guidance to their specific network architecture, compliance requirements, and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).