PatchSiren cyber security CVE debrief
CVE-2026-25557 Evoluted CVE debrief
CVE-2026-25557 is a reflected cross-site scripting vulnerability in Evoluted PHP Directory Listing Script through 4.0.5. The vulnerability exists in the index.php file where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. This allows attackers to inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser.
- Vendor
- Evoluted
- Product
- PHP Directory Listing Script
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of Evoluted PHP Directory Listing Script through 4.0.5 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.1 and a severity of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the patch or update to a version of Evoluted PHP Directory Listing Script that is not vulnerable.
- Use HTML encoding for user-input data in the dir parameter.
Evidence notes
The vendor of the product is listed as Unknown Vendor with low confidence. The product name is not specified, but there is evidence that the product is related to Evoluted.
Official resources
CVE-2026-25557 was published on [2026-06-09T21:17:04.173Z] and modified on [2026-06-10T19:41:25.327Z].