Description
MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting (XSS) vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply HTML/JavaScript that is reflected in the response. Successful exploitation can lead to execution of arbitrary script in a victim's browser in the context of the vulnerable application.
Published: 2026-02-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw located in index.php of MiniGal Nano version 0.3.5 and earlier releases. An attacker can inject arbitrary HTML or JavaScript through the dir parameter, which the application incorporates into an error message without proper output encoding. When a victim visits the crafted URL, the malicious payload is reflected back in the response, allowing the attacker to execute code in the victim’s browser under the application’s domain. This can result in cookie theft, phishing, content tampering, or other client‑side attacks.

Affected Systems

MiniGal Nano, version 0.3.5 and all earlier releases; vendor MiniGal, provider of the web application.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a standard HTTP request to the vulnerable application, where the attacker merely supplies a crafted dir parameter in the URL. An attacker needs only to send a link to the victim, and the vulnerability is exploitable without additional privileges or pre‑existing conditions.

Generated by OpenCVE AI on April 16, 2026 at 17:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MiniGal Nano to a version that resolves the reflected XSS flaw
  • Add server‑side output encoding to the dir parameter before it is displayed in any response
  • Implement input validation to reject or escape script‑related characters in the dir value

Generated by OpenCVE AI on April 16, 2026 at 17:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu nano
CPEs cpe:2.3:a:gnu:nano:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu nano

Thu, 26 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Rybber
Rybber minigal Nano
CPEs cpe:2.3:a:rybber:minigal_nano:*:*:*:*:*:*:*:*
Vendors & Products Rybber
Rybber minigal Nano
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Minigal
Minigal minigal
Vendors & Products Minigal
Minigal minigal
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
References

Wed, 11 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting (XSS) vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply HTML/JavaScript that is reflected in the response. Successful exploitation can lead to execution of arbitrary script in a victim's browser in the context of the vulnerable application.
Title MiniGal Nano <= 0.3.5 Reflected XSS via dir Parameter
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gnu Nano
Minigal Minigal
Rybber Minigal Nano
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:55.511Z

Reserved: 2026-02-06T19:12:03.464Z

Link: CVE-2026-25868

cve-icon Vulnrichment

Updated: 2026-02-11T21:40:42.856Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T16:16:06.657

Modified: 2026-02-26T20:30:30.263

Link: CVE-2026-25868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses