CVE-2026-3695
Received Received - Intake
Path Traversal in SourceCodester Modern Image Gallery /delete.php

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in SourceCodester Modern Image Gallery App 1.0. Impacted is an unknown function of the file /delete.php. Such manipulation of the argument filename leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3695
EUVD
EUVD-2026-10202
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
remyandrade modern_image_gallery_app 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3695 is a path traversal vulnerability in SourceCodester Modern Image Gallery App version 1.0, specifically in the delete.php script.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application uses the filename parameter from a POST request directly in the file deletion function without any validation or sanitization.'}, {'type': 'paragraph', 'content': "The code concatenates the string 'images/' with the user-supplied filename and passes this to the unlink() function, allowing an unauthenticated attacker to delete arbitrary files on the server."}, {'type': 'paragraph', 'content': 'Attackers can include path traversal sequences like "../" in the filename to delete files outside the intended directory.'}, {'type': 'paragraph', 'content': 'A proof of concept shows that sending a POST request with parameters id=1 and filename=../config.php results in deletion of the config.php file, causing HTTP 500 errors and denial of service.'}] [1, 3]

Impact Analysis

This vulnerability allows attackers to delete arbitrary files on the server that the web server has write access to.

  • Arbitrary File Deletion: Critical files such as config.php (containing database credentials), .htaccess (server configuration), and index.php (application entry point) can be deleted.
  • Denial of Service (DoS): Deleting essential files causes the application to fail and return HTTP 500 Internal Server Errors.
  • Secondary Attack Facilitation: Attackers can delete access control files, logs, or audit trails to cover their tracks or bypass authentication.
  • Potential Privilege Escalation: If the web server runs with elevated privileges, attackers could delete sensitive system files such as /etc/passwd or SSH keys.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the delete.php script that include the filename parameter with path traversal sequences such as "../". An example detection method is to look for HTTP POST requests targeting delete.php with filename parameters containing directory traversal patterns.'}, {'type': 'paragraph', 'content': 'A practical approach is to use network monitoring or web server logs to identify such requests. For example, using command-line tools like grep on web server access logs to find suspicious requests:'}, {'type': 'list_item', 'content': 'grep "POST /delete.php" /var/log/apache2/access.log | grep "filename=.."'}, {'type': 'list_item', 'content': 'tcpdump or Wireshark filters to capture HTTP POST requests to delete.php and inspect the payload for filename parameters containing "../"'}, {'type': 'paragraph', 'content': 'Additionally, scanning for the presence of the vulnerable application by searching for URLs containing "delete.php" can help identify potential targets on your network.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include sanitizing and validating the filename parameter in the delete.php script to prevent path traversal attacks.'}, {'type': 'paragraph', 'content': 'Specifically, implement the following in the code:'}, {'type': 'list_item', 'content': 'Use basename() to strip directory components from the filename.'}, {'type': 'list_item', 'content': 'Filter the filename to allow only safe characters (e.g., alphanumeric, dots, underscores, hyphens) using a regular expression.'}, {'type': 'list_item', 'content': 'Use realpath() to ensure the resolved file path is within the intended images directory before deleting.'}, {'type': 'paragraph', 'content': 'Example secure code snippet:'}, {'type': 'paragraph', 'content': "```php\n$filename = basename($_POST['filename']);\n$filename = preg_replace('/[^a-zA-Z0-9._-]/', '', $filename);\n$image_path = 'images/' . $filename;\nif (file_exists($image_path) && strpos(realpath($image_path), realpath('images/')) === 0) {\n unlink($image_path);\n}\n```"}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, consider restricting access to delete.php via network controls or web server configuration to trusted users only.'}] [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart