Description
MiniGal Nano versions 0.3.5 and prior contain a path traversal vulnerability in index.php via the dir parameter. The application appends user-controlled input to the photos directory and attempts to prevent traversal by removing dot-dot sequences, but this protection can be bypassed using crafted directory patterns. An attacker can exploit this behavior to cause the application to enumerate and display image files from unintended filesystem locations that are readable by the web server, resulting in unintended information disclosure.
Published: 2026-02-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Path Traversal
Action: Patch
AI Analysis

Impact

MiniGal Nano versions up to 0.3.5 possess a path traversal flaw in index.php. The application concatenates the dir parameter to a photos directory and attempts to block traversal by removing '..' but this safeguard can be bypassed with crafted directory patterns. An attacker can exploit the flaw to enumerate and display image files from unintended filesystem locations that are readable by the web server, leading to unintended information disclosure. This weakness corresponds to the identified Common Weakness Enumeration identifier CWE-22.

Affected Systems

The vulnerability affects MiniGal:MiniGal Nano, specifically versions 0.3.5 and earlier.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% reflects a very low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is the web application’s index.php endpoint, which accepts a user-supplied dir parameter. By sending a crafted HTTP request that manipulates the dir value, an attacker can bypass the directory traversal protection and obtain file listing or content from directories on the host that the web server can read. Successful exploitation would result in the disclosure of potentially sensitive files, limited only by the web server’s file permissions.

Generated by OpenCVE AI on April 17, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑published update that resolves the path traversal flaw.
  • Disable or restrict the dir parameter in the application configuration to prevent arbitrary directory access.
  • Ensure the web server’s file permissions limit read access to only the intended photos directory.

Generated by OpenCVE AI on April 17, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu nano
CPEs cpe:2.3:a:gnu:nano:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu nano

Thu, 26 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Rybber
Rybber minigal Nano
CPEs cpe:2.3:a:rybber:minigal_nano:*:*:*:*:*:*:*:*
Vendors & Products Rybber
Rybber minigal Nano
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Minigal
Minigal minigal
Vendors & Products Minigal
Minigal minigal

Wed, 11 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description MiniGal Nano versions 0.3.5 and prior contain a path traversal vulnerability in index.php via the dir parameter. The application appends user-controlled input to the photos directory and attempts to prevent traversal by removing dot-dot sequences, but this protection can be bypassed using crafted directory patterns. An attacker can exploit this behavior to cause the application to enumerate and display image files from unintended filesystem locations that are readable by the web server, resulting in unintended information disclosure.
Title MiniGal Nano <= 0.3.5 Path Traversal via dir Parameter
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gnu Nano
Minigal Minigal
Rybber Minigal Nano
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:56.329Z

Reserved: 2026-02-06T19:12:03.464Z

Link: CVE-2026-25869

cve-icon Vulnrichment

Updated: 2026-02-11T16:13:18.962Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T16:16:06.813

Modified: 2026-02-26T20:45:55.140

Link: CVE-2026-25869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses