What is the severity of CVE-2026-25500?

CVE-2026-25500 has a CVSS v3 score of 5.4, which is classified as Medium severity.

Is there an exploit available for CVE-2026-25500?

No known public exploits are currently available for CVE-2026-25500.

Is there a patch available for CVE-2026-25500?

Yes, patches are available for CVE-2026-25500. Check the vendor advisories for update instructions.

CVE-2026-25500 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v35.4

CVSS v20.0

Priority Score223.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

5.4

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme (e.g. javascript:alert(1)), the generated index includes an anchor whose href attribute is exactly javascript:alert(1). Clicking this entry executes arbitrary JavaScript in the context of the hosting application.

This results in a client-side XSS condition in directory listings generated by Rack::Directory.

Details

Rack::Directory renders directory entries using an HTML row template similar to:

<a href='%s'>%s</a>

The %s placeholder is populated directly with the file’s basename. If the basename begins with javascript:, the resulting HTML contains an executable JavaScript URL:

<a href='javascript:alert(1)'>javascript:alert(1)</a>

Because the value is inserted directly into the href attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.

Impact

If Rack::Directory is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with javascript:.

When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).

Mitigation

Update to a patched version of Rack in which Rack::Directory prefixes generated anchors with a relative path indicator (e.g. ./filename).
Avoid exposing user-controlled directories via Rack::Directory.
Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Required

Scope:Changed

Confidentiality:Local

Integrity:Local

Availability:Network

Patch References

Github.com Security [email protected]

Ready for Agentic Automated Testing?

CVE-2026-25500

Summary

Details

Impact

Mitigation