CVE-2026-25557 Overview
CVE-2026-25557 is a reflected cross-site scripting (XSS) vulnerability in Evoluted PHP Directory Listing Script through version 4.0.5. The index.php script reflects the dir parameter value without HTML encoding in two locations: inside the HTML <title> element and inside anchor href attributes within the breadcrumb navigation. Attackers can craft dir parameter values that break out of the title context or inject event handlers into breadcrumb anchors. Successful exploitation executes arbitrary JavaScript in a victim's browser. The flaw maps to [CWE-79] Improper Neutralization of Input During Web Page Generation.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser by tricking the user into visiting a crafted URL, enabling session theft, credential harvesting, and content manipulation in the directory listing interface.
Affected Products
- Evoluted PHP Directory Listing Script versions through 4.0.5
- Web applications embedding or deploying the vulnerable index.php script
- Any hosting environment serving the unmodified Evoluted directory listing code
Discovery Timeline
- 2026-06-09 - CVE-2026-25557 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-25557
Vulnerability Analysis
The vulnerability resides in index.php of the Evoluted PHP Directory Listing Script. The application accepts a user-controlled dir query parameter that specifies the directory to display. The script reflects this value into the rendered HTML response without applying HTML entity encoding. Two distinct sinks are affected: the document <title> element and breadcrumb navigation anchor href attributes. Both sinks render attacker-controlled input directly into the response body, allowing JavaScript execution when a victim loads the crafted URL.
The attack requires user interaction, since the victim must visit a maliciously crafted link. No authentication is required, and the script reflects payloads on every request. Exploitation impacts confidentiality and integrity within the browser context of the targeted user. The EPSS probability is 0.029% (8.681 percentile), indicating low observed exploitation activity at publication.
Root Cause
The root cause is missing output encoding of the dir request parameter prior to insertion into HTML output. The script does not apply htmlspecialchars() or an equivalent context-aware encoder before writing the value into the <title> element or anchor attributes. As a result, characters such as <, >, ", and ' retain their syntactic meaning in HTML, allowing attackers to terminate the current context and inject markup or event handlers.
Attack Vector
The vulnerability is exploited remotely over the network. An attacker constructs a URL containing a malicious dir parameter and delivers it to a victim through phishing, chat, or another channel. Two payload techniques are documented in the VulnCheck Advisory Reflected XSS: breaking out of the <title> element with a closing tag followed by a <script> block, or injecting an event handler such as onmouseover into the breadcrumb anchor href attribute. Refer to the GitHub Gist Code Snippet and the Evoluted Blog PHP Script for source context.
Detection Methods for CVE-2026-25557
Indicators of Compromise
- Web server access logs containing index.php requests where the dir parameter includes characters such as <, >, ", ', </title>, <script, onerror=, onmouseover=, or javascript:.
- HTTP referrers originating from external domains followed by requests with anomalous dir parameter values.
- Browser console errors or content security policy (CSP) violation reports tied to script execution from the directory listing pages.
Detection Strategies
- Inspect HTTP request logs for the dir query string parameter and flag values that contain HTML metacharacters or event handler keywords.
- Deploy web application firewall (WAF) rules that match common reflected XSS payload patterns against the dir parameter on URLs serving the Evoluted script.
- Correlate suspicious URL access with subsequent authentication anomalies or session reuse from unexpected geolocations.
Monitoring Recommendations
- Enable verbose logging on the web server hosting the directory listing script and forward logs to a centralized analytics platform.
- Configure CSP reporting endpoints to capture inline script violations on pages rendered by index.php.
- Alert on outbound requests from end-user browsers to attacker-controlled domains shortly after visits to the directory listing application.
How to Mitigate CVE-2026-25557
Immediate Actions Required
- Restrict public access to the Evoluted PHP Directory Listing Script until a fix is applied, using authentication or IP allowlisting at the web server layer.
- Apply server-side input validation that rejects dir parameter values containing HTML metacharacters before the request reaches application code.
- Add HTML entity encoding to all reflections of the dir parameter in index.php, including the <title> element and breadcrumb anchor attributes.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Administrators should consult the VulnCheck Advisory Reflected XSS and the Evoluted Blog PHP Script for vendor updates. Until an official fix is released, modify the source to wrap the dir parameter output with htmlspecialchars($value, ENT_QUOTES, 'UTF-8') in both reflection sinks.
Workarounds
- Deploy a WAF rule blocking requests where the dir parameter contains <, >, ", ', or known event handler substrings.
- Set a strict Content-Security-Policy header that disallows inline scripts and restricts script sources to trusted origins.
- Remove the breadcrumb navigation rendering logic if the directory listing can operate without it, eliminating one of the two reflection sinks.
# Apache mod_security rule blocking HTML metacharacters in the dir parameter
SecRule ARGS:dir "@rx [<>\"']" \
"id:1002557,phase:2,deny,status:403,log,msg:'CVE-2026-25557 XSS payload blocked'"
# Nginx CSP header to mitigate inline script execution
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
