CVE-2026-25869
Published: 11 February 2026
Summary
CVE-2026-25869 is a high-severity Path Traversal (CWE-22) vulnerability in Rybber Minigal Nano. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vuln in public web app directly enables remote exploitation for initial access (T1190) and facilitates filesystem enumeration (T1083) plus collection of files/data from local system (T1005).
NVD Description
MiniGal Nano versions 0.3.5 and prior contain a path traversal vulnerability in index.php via the dir parameter. The application appends user-controlled input to the photos directory and attempts to prevent traversal by removing dot-dot sequences, but this protection can be…
more
bypassed using crafted directory patterns. An attacker can exploit this behavior to cause the application to enumerate and display image files from unintended filesystem locations that are readable by the web server, resulting in unintended information disclosure.
Deeper analysisAI
CVE-2026-25869 is a path traversal vulnerability (CWE-22) in MiniGal Nano versions 0.3.5 and prior. The flaw exists in index.php, where the dir parameter accepts user-controlled input that is appended to the photos directory. The application attempts to block traversal by removing dot-dot sequences, but this sanitization can be bypassed with crafted directory patterns, allowing the server to enumerate and display image files from unintended filesystem locations readable by the web server process, resulting in information disclosure.
With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the vulnerability is exploitable remotely over the network with low attack complexity, no authentication or user interaction required. Unauthenticated attackers can manipulate the dir parameter to access and reveal contents of arbitrary readable directories, potentially exposing sensitive image files outside the intended photos directory.
Advisories and project resources provide further details on the issue. Relevant references include the VulnCheck advisory at https://www.vulncheck.com/advisories/minigal-nano-path-traversal-via-dir-parameter, the SourceForge project page at https://sourceforge.net/projects/minigalnano/, and an archived version of the project site at https://web.archive.org/web/20180330004313/http://www.minigal.dk/minigal-nano.html.
Details
- CWE(s)