CVE-2026-25868 is a reflected cross-site scripting (XSS) vulnerability identified in MiniGal Nano, a lightweight photo gallery web application, affecting version 0.3.5 and prior. The vulnerability exists in the index.php script where the 'dir' parameter is taken from user input and used to construct the variable $currentdir, which is then embedded directly into an error message without any output encoding or sanitization. This improper neutralization of input (CWE-79) allows an attacker to inject arbitrary HTML or JavaScript code that is reflected back in the HTTP response. When a victim visits a crafted URL containing malicious script in the 'dir' parameter, the script executes in their browser within the security context of the MiniGal Nano application. This can lead to theft of session cookies, defacement, or redirection to malicious sites. The vulnerability is remotely exploitable over the network without requiring authentication or privileges, but it does require user interaction to trigger the malicious payload. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required for the attack to succeed, and low scope impact. No patches or official fixes are currently available, and no known exploits have been reported in the wild. The vulnerability was published on February 11, 2026, and assigned by VulnCheck. MiniGal Nano is typically used by small to medium websites or personal galleries, which may limit the scale of impact but still poses a risk to users of affected installations.

The primary impact of this vulnerability is the potential execution of arbitrary scripts in users' browsers, which can compromise confidentiality and integrity of user sessions. Attackers can steal cookies or authentication tokens, perform actions on behalf of the user, or redirect users to malicious websites. This can lead to account compromise, data theft, or distribution of malware. While the vulnerability does not directly affect server availability or integrity, successful exploitation can damage the reputation of affected organizations and erode user trust. Because MiniGal Nano is often deployed on smaller or personal websites, the impact may be localized but still significant for those users. The lack of authentication requirement and ease of exploitation increase the risk, especially if attackers can lure users to maliciously crafted URLs. Organizations worldwide using MiniGal Nano are at risk of targeted attacks, especially those with public-facing galleries or user communities.

To mitigate this vulnerability, organizations should immediately implement output encoding or sanitization on the 'dir' parameter before embedding it into any HTML response. Specifically, applying context-appropriate HTML entity encoding to user-supplied input prevents script injection. If possible, upgrade to a fixed version of MiniGal Nano once available. In the absence of an official patch, web application firewalls (WAFs) can be configured to detect and block suspicious requests containing script tags or common XSS payloads targeting the 'dir' parameter. Additionally, administrators should educate users about the risks of clicking on untrusted links and consider implementing Content Security Policy (CSP) headers to restrict script execution sources. Regularly monitoring web server logs for unusual requests and scanning the application with automated security tools can help detect exploitation attempts. Finally, isolating the MiniGal Nano installation and limiting its permissions can reduce potential damage from successful attacks.