SourceCodester Modern Image Gallery App 10 – Path Traversal in File Deletion (CVE-2026-3695) – MEDIUM

Listen to this Post

The vulnerability, identified as CVE-2026-3695, resides in the file deletion mechanism of the SourceCodester Modern Image Gallery App version 1.0. Specifically, the endpoint `/delete.php` fails to properly sanitize user input supplied via the `filename` argument. This oversight allows an attacker to manipulate file paths using directory traversal sequences (such as ../). By crafting a malicious request, an unauthenticated remote attacker can traverse outside the intended image directory and delete arbitrary files on the server. This could lead to the deletion of critical system files, configuration files, or other sensitive data, potentially causing a denial of service or disrupting application functionality. The attack requires no authentication and has low complexity, making it easily exploitable. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The exploit details have been publicly disclosed, increasing the risk of active exploitation.

DailyCVE Form:

Platform: SourceCodester Modern Gallery
Version: 1.0
Vulnerability : Path Traversal
Severity: MEDIUM (CVSS 6.5)
Date: 03/09/2026

Prediction: Patch unlikely soon

What Undercode Say:

Analytics:

The vulnerability is present in /delete.php. The code likely includes a line similar to `unlink($_GET[‘filename’]);` or `unlink($_POST[‘filename’]);` without validating the path.

Exploit:

An attacker can delete arbitrary files by traversing directories.

Delete a critical system configuration file (e.g., from the web root)
curl -X POST "http://localhost/modern-image-gallery/delete.php" \
--data "filename=../../../../config/database.php"
Delete the application's main index file to cause a denial of service
curl -X GET "http://localhost/modern-image-gallery/delete.php?filename=../../../index.php"

Protection from this CVE:

  1. Input Validation: Implement strict validation to ensure the `filename` is a base name and does not contain path traversal sequences (../ or ..\\).
  2. Path Canonicalization: Use `realpath()` to resolve the absolute path of the file and verify it begins with the intended base directory (e.g., the gallery’s upload folder).
    $base_dir = realpath('/var/www/html/modern-image-gallery/images/');
    $file_path = realpath($base_dir . '/' . $_POST['filename']);
    if ($file_path && strpos($file_path, $base_dir) === 0) {
    unlink($file_path);
    }
    
  3. Run with Least Privilege: Ensure the web server user has write/delete permissions only where necessary.

Impact:

Successful exploitation allows an unauthenticated attacker to delete any file the web server has permissions to remove. This can lead to website defacement, denial of service, or disruption of the entire application by deleting core configuration or dependency files.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top