CVE-2026-25868 identifies a reflected cross-site scripting (XSS) vulnerability in MiniGal Nano, a lightweight photo gallery web application. The vulnerability resides in the index.php script, specifically in the handling of the dir parameter. MiniGal Nano constructs a variable $currentdir directly from user input without sanitization or output encoding before embedding it into an error message displayed to users. This improper neutralization of input (CWE-79) allows attackers to inject arbitrary HTML or JavaScript code that is reflected back in the HTTP response. When a victim accesses a maliciously crafted URL containing the payload in the dir parameter, the injected script executes in their browser under the context of the vulnerable site. This can lead to session hijacking, cookie theft, or other malicious actions typical of XSS attacks. The vulnerability is remotely exploitable without authentication but requires user interaction (clicking a malicious link). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:A), and limited scope impact (S:L). No patches or official fixes are currently linked, and no known exploits are reported in the wild. The vulnerability was published on February 11, 2026, and affects MiniGal Nano version 0.3.5 and prior. Given the nature of MiniGal Nano as a web-facing application, this vulnerability poses a risk to any deployment accessible to untrusted users.

For European organizations, the impact of this vulnerability depends on the extent to which MiniGal Nano is used in their web infrastructure. Organizations using MiniGal Nano to host photo galleries or web content accessible to external users could face risks of session hijacking, defacement, or redirection attacks via XSS. This could lead to reputational damage, unauthorized access to user accounts, or distribution of malware through compromised browsers. Although the vulnerability does not allow direct server compromise or data breach, the ability to execute arbitrary scripts in users' browsers can facilitate phishing or social engineering attacks. The medium CVSS score reflects moderate risk, but the impact can be significant if exploited against high-profile or sensitive web portals. European entities with public-facing MiniGal Nano installations should consider this a priority to address, especially in sectors like media, education, or cultural institutions where such galleries might be common. The lack of known exploits reduces immediate risk but does not eliminate the threat as attackers may develop exploits in the future.

To mitigate CVE-2026-25868, organizations should implement proper output encoding on all user-controlled inputs, particularly the dir parameter in index.php, to neutralize any HTML or JavaScript content before rendering it in error messages. Input validation should be applied to restrict the dir parameter to expected directory names or safe character sets. If possible, upgrade MiniGal Nano to a version that addresses this vulnerability once available. In the absence of an official patch, consider applying custom patches or web application firewall (WAF) rules to detect and block malicious payloads targeting the dir parameter. Additionally, restrict access to the MiniGal Nano application to trusted users or internal networks if public exposure is not required. Educate users about the risks of clicking untrusted links and monitor web logs for suspicious requests containing script tags or unusual input patterns. Regular security assessments and penetration testing can help identify residual XSS or similar vulnerabilities in the application environment.