CVE-2026-25868
Awaiting Analysis Awaiting Analysis - Queue
Reflected XSS in MiniGal Nano index.php via dir Parameter

Publication date: 2026-02-11

Last updated on: 2026-02-26

Assigner: VulnCheck

Description
MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting (XSS) vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply HTML/JavaScript that is reflected in the response. Successful exploitation can lead to execution of arbitrary script in a victim's browser in the context of the vulnerable application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25868
EUVD
EUVD-2026-6236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rybber minigal_nano to 0.3.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25868 affects MiniGal Nano versions 0.3.5 and earlier and involves a reflected Cross-Site Scripting (XSS) vulnerability in the index.php file via the "dir" parameter.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application constructs the variable $currentdir directly from user-supplied input and embeds it into an error message without proper output encoding or sanitization.'}, {'type': 'paragraph', 'content': "This flaw allows an attacker to inject arbitrary HTML or JavaScript code, which is then reflected in the server's response."}, {'type': 'paragraph', 'content': "Successful exploitation enables execution of malicious scripts in the victim's browser within the context of the vulnerable application."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "Exploitation of this vulnerability can lead to execution of arbitrary scripts in a victim's browser."}, {'type': 'list_item', 'content': 'Session hijacking'}, {'type': 'list_item', 'content': 'Defacement of the web application'}, {'type': 'list_item', 'content': 'Other client-side attacks that compromise user interaction with the application'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the "dir" parameter in the index.php file of MiniGal Nano version 0.3.5 and prior for reflected Cross-Site Scripting (XSS). An effective method is to send crafted HTTP requests with HTML or JavaScript payloads in the "dir" parameter and observe if the payload is reflected unencoded in the server\'s response.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or similar tools to send requests and check the response for reflected scripts.'}, {'type': 'list_item', 'content': "curl -i 'http://yourserver/index.php?dir=<script>alert(1)</script>'"}, {'type': 'list_item', 'content': 'Observe the response body for the presence of the injected script tag without encoding.'}, {'type': 'paragraph', 'content': 'If the script is reflected in the response, the vulnerability is present.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include sanitizing and properly encoding user input before embedding it into the response. Specifically, ensure that the "dir" parameter is validated and output encoded to prevent injection of arbitrary HTML or JavaScript.'}, {'type': 'paragraph', 'content': 'If possible, update MiniGal Nano to a version that addresses this vulnerability or apply patches that fix the reflected XSS issue.'}, {'type': 'paragraph', 'content': 'As a temporary measure, consider implementing web application firewall (WAF) rules to detect and block malicious payloads targeting the "dir" parameter.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25868. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart