CVE-2026-25868
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
MiniGal Nano version 0.3.5 and prior contain a reflected XSS vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply HTML/JavaScript that is reflected in the response.
Risk Assessment
Successful exploitation can lead to execution of arbitrary script in a victim's browser in the context of the vulnerable application, potentially resulting in session theft, redirection to malicious sites, or other attacks.
Recommendation
It is recommended to immediately update to the latest version of MiniGal Nano that fixes this vulnerability and implement input validation and output encoding for all user-supplied data.
Original NVD description (English source)
MiniGal Nano version 0.3.5 and prior contain a reflected cross-site scripting (XSS) vulnerability in index.php via the dir parameter. The application constructs $currentdir from user-controlled input and embeds it into an error message without output encoding, allowing an attacker to supply HTML/JavaScript that is reflected in the response. Successful exploitation can lead to execution of arbitrary script in a victim's browser in the context of the vulnerable application.

