CVE-2026-42028

Source
https://cve.org/CVERecord?id=CVE-2026-42028
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42028.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42028
Aliases
  • GHSA-wv5j-98c7-frm9
Published
2026-05-08T15:54:48.496Z
Modified
2026-07-08T08:13:17.204035269Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
novaGallery: Unauthenticated Path Traversal in Album and Cached Image Routes Allows Reading Images Outside Gallery Root
Details

novaGallery is a php image gallery. Prior to version 2.1.1, a path traversal vulnerability has been identified in novaGallery. This allows unauthenticated users to read image files outside the intended gallery root directory. This issue has been patched in version 2.1.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42028.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/novaGallery/novagallery

Affected ranges

Type
GIT
Repo
https://github.com/novaGallery/novagallery
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v2.*
v2.0
v2.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42028.json"