CVE-2026-25868
Reflected XSS in MiniGal Nano index.php via dir Parameter
Publication date: 2026-02-11
Last updated on: 2026-02-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rybber | minigal_nano | to 0.3.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25868 affects MiniGal Nano versions 0.3.5 and earlier and involves a reflected Cross-Site Scripting (XSS) vulnerability in the index.php file via the "dir" parameter.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application constructs the variable $currentdir directly from user-supplied input and embeds it into an error message without proper output encoding or sanitization.'}, {'type': 'paragraph', 'content': "This flaw allows an attacker to inject arbitrary HTML or JavaScript code, which is then reflected in the server's response."}, {'type': 'paragraph', 'content': "Successful exploitation enables execution of malicious scripts in the victim's browser within the context of the vulnerable application."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Exploitation of this vulnerability can lead to execution of arbitrary scripts in a victim's browser."}, {'type': 'list_item', 'content': 'Session hijacking'}, {'type': 'list_item', 'content': 'Defacement of the web application'}, {'type': 'list_item', 'content': 'Other client-side attacks that compromise user interaction with the application'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the "dir" parameter in the index.php file of MiniGal Nano version 0.3.5 and prior for reflected Cross-Site Scripting (XSS). An effective method is to send crafted HTTP requests with HTML or JavaScript payloads in the "dir" parameter and observe if the payload is reflected unencoded in the server\'s response.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or similar tools to send requests and check the response for reflected scripts.'}, {'type': 'list_item', 'content': "curl -i 'http://yourserver/index.php?dir=<script>alert(1)</script>'"}, {'type': 'list_item', 'content': 'Observe the response body for the presence of the injected script tag without encoding.'}, {'type': 'paragraph', 'content': 'If the script is reflected in the response, the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include sanitizing and properly encoding user input before embedding it into the response. Specifically, ensure that the "dir" parameter is validated and output encoded to prevent injection of arbitrary HTML or JavaScript.'}, {'type': 'paragraph', 'content': 'If possible, update MiniGal Nano to a version that addresses this vulnerability or apply patches that fix the reflected XSS issue.'}, {'type': 'paragraph', 'content': 'As a temporary measure, consider implementing web application firewall (WAF) rules to detect and block malicious payloads targeting the "dir" parameter.'}] [1]