Cyber Resilience

CVE-2026-25869

MediumPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 31.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25869 is a medium-severity Path Traversal (CWE-22) vulnerability in Rybber Minigal Nano. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25869 is a path traversal vulnerability (CWE-22) in MiniGal Nano versions 0.3.5 and prior. The flaw exists in index.php, where the dir parameter accepts user-controlled input that is appended to the photos directory. The application attempts to block traversal by removing dot-dot sequences, but this sanitization can be bypassed with crafted directory patterns, allowing the server to enumerate and display image files from unintended filesystem locations readable by the web server process, resulting in information disclosure.

With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the vulnerability is exploitable remotely over the network with low attack complexity, no authentication or user interaction required. Unauthenticated attackers can manipulate the dir parameter to access and reveal contents of arbitrary readable directories, potentially exposing sensitive image files outside the intended photos directory.

Advisories and project resources provide further details on the issue. Relevant references include the VulnCheck advisory at https://www.vulncheck.com/advisories/minigal-nano-path-traversal-via-dir-parameter, the SourceForge project page at https://sourceforge.net/projects/minigalnano/, and an archived version of the project site at https://web.archive.org/web/20180330004313/http://www.minigal.dk/minigal-nano.html.

EU & UK References

Vulnerability details

MiniGal Nano versions 0.3.5 and prior contain a path traversal vulnerability in index.php via the dir parameter. The application appends user-controlled input to the photos directory and attempts to prevent traversal by removing dot-dot sequences, but this protection can be…

more

bypassed using crafted directory patterns. An attacker can exploit this behavior to cause the application to enumerate and display image files from unintended filesystem locations that are readable by the web server, resulting in unintended information disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal vuln in public web app directly enables remote exploitation for initial access (T1190) and facilitates filesystem enumeration (T1083) plus collection of files/data from local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-60946Shared CWE-22
CVE-2026-6024Shared CWE-22
CVE-2025-67160Shared CWE-22
CVE-2026-49128Shared CWE-22
CVE-2026-30914Shared CWE-22
CVE-2026-22557Shared CWE-22
CVE-2021-47850Shared CWE-22
CVE-2019-25579Shared CWE-22
CVE-2025-52452Shared CWE-22
CVE-2025-2264Shared CWE-22

Affected Assets

rybber
minigal nano
≤ 0.3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validating the user-controlled dir parameter to block crafted path traversal sequences, directly preventing access to unintended filesystem locations.

prevent

Enforces access control policies to restrict application file reads to only the approved photos directory, stopping traversal exploitation.

prevent

Limits web server process privileges to read only intended directories, reducing the impact of successful path traversal by preventing access to sensitive files.

References