CVE-2026-25869
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in MiniGal Nano Allows Information Disclosure

Publication date: 2026-02-11

Last updated on: 2026-02-26

Assigner: VulnCheck

Description
MiniGal Nano versions 0.3.5 and prior contain a path traversal vulnerability in index.php via the dir parameter. The application appends user-controlled input to the photos directory and attempts to prevent traversal by removing dot-dot sequences, but this protection can be bypassed using crafted directory patterns. An attacker can exploit this behavior to cause the application to enumerate and display image files from unintended filesystem locations that are readable by the web server, resulting in unintended information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25869
EUVD
EUVD-2026-5943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rybber minigal_nano to 0.3.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25869 affects MiniGal Nano versions 0.3.5 and earlier and involves a path traversal vulnerability in the index.php file via the "dir" parameter.'}, {'type': 'paragraph', 'content': 'The application appends user-supplied input to the photos directory and tries to prevent directory traversal attacks by removing ".." sequences. However, this protection can be bypassed using specially crafted directory patterns.'}, {'type': 'paragraph', 'content': 'An attacker exploiting this flaw can cause the application to enumerate and display image files from arbitrary filesystem locations accessible by the web server, leading to unintended information disclosure.'}] [1]

Impact Analysis

This vulnerability can lead to unintended information disclosure by allowing an attacker to access and display image files from filesystem locations that should not be accessible through the application.

Since the attacker can enumerate files outside the intended photos directory, sensitive or private images stored on the server might be exposed.

The vulnerability has a medium severity with a CVSS v4 base score of 6.9, and it can be exploited remotely without any privileges or user interaction.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking if the MiniGal Nano application version 0.3.5 or earlier is running and testing the index.php file\'s "dir" parameter for path traversal weaknesses.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to monitor web server logs for unusual requests to index.php with crafted "dir" parameter values that include directory traversal patterns or bypass attempts.'}, {'type': 'paragraph', 'content': 'Example commands to test the vulnerability manually include sending HTTP requests with crafted "dir" parameters to see if files outside the intended photos directory are accessible.'}, {'type': 'list_item', 'content': 'Using curl to test path traversal: curl -v "http://target-site/index.php?dir=.../.../etc/passwd"'}, {'type': 'list_item', 'content': 'Using curl with encoded traversal sequences to bypass filters: curl -v "http://target-site/index.php?dir=....//....//etc/passwd"'}, {'type': 'paragraph', 'content': 'Additionally, scanning tools or custom scripts can be used to automate detection by sending various crafted payloads to the "dir" parameter and analyzing responses for unintended file disclosures.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable MiniGal Nano application, especially the index.php file handling the "dir" parameter.'}, {'type': 'paragraph', 'content': 'If possible, upgrade MiniGal Nano to a version later than 0.3.5 where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'As a temporary workaround, implement web server rules or application-level input validation to block or sanitize the "dir" parameter to prevent directory traversal patterns.'}, {'type': 'paragraph', 'content': 'Additionally, restrict filesystem permissions so that the web server user has minimal read access outside the intended photos directory to limit the impact of any exploitation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart