VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-42028

CVE-2026-42028

Description

novaGallery is a php image gallery. Prior to version 2.1.1, a path traversal vulnerability has been identified in novaGallery. This allows unauthenticated users to read image files outside the intended gallery root directory. This issue has been patched in version 2.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated path traversal vulnerability in novaGallery 2.1.0 and earlier allows reading image files outside the gallery root directory.

Vulnerability

Overview

A path traversal vulnerability has been identified in novaGallery, a PHP image gallery application, affecting versions 2.1.0 and all earlier releases. The flaw resides in the album and cached image routes, where the application fails to adequately sanitize user-supplied path segments. The removeBadSigns() function only strips the exact string /../, which can be bypassed using variations such as ..;/ or double encoding, allowing an unauthenticated attacker to traverse directories outside the intended gallery root [1].

Exploitation

Details

An unauthenticated attacker can exploit this by crafting HTTP requests containing .. sequences in the album or image parameters. The vulnerable routes, such as /album/(.*) and the cached image route, accept arbitrary path tails without sufficient validation. The weak sanitization only removes /../ but does not prevent other traversal patterns, enabling the attacker to navigate the filesystem and read image files stored outside the galleries/ directory [1]. The commit that fixes the issue introduces two new methods: isSafeRelativePath() and isPathWithinImagesDir(), which perform proper checks against null bytes, .. sequences, backslashes, and absolute paths, and verify that the resolved path remains within the images directory [2].

Impact

Successful exploitation allows an unauthenticated attacker to read image files from arbitrary locations on the server's filesystem, provided they are reachable via relative paths and can be processed as images by the application. This could lead to the exposure of sensitive or private photos stored elsewhere on the filesystem. The vulnerability affects both the Free and Pro editions of novaGallery, as they share the same core routing and image handling code [1].

Mitigation

The issue has been fully resolved in novaGallery version 2.1.1. All users are strongly advised to update immediately. The fix includes additional path validation functions that prevent traversal attacks by checking for unsafe path components and ensuring the final resolved path stays within the intended images directory [2][3].

References
  1. Unauthenticated Path Traversal in Album and Cached Image Routes Allows Reading Images Outside Gallery Root
  2. Merge commit from fork · novafacile/novagallery@46fe7b0
  3. Release novaGallery v2.1.1 · novafacile/novagallery

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.