Search
Find a vulnerability
Search criteria
2 vulnerabilities found for NextGEN Gallery by awesomemotive
CVE-2026-9059 (GCVE-0-2026-9059)
Vulnerability from nvd – Published: 2026-05-20 07:41 – Updated: 2026-05-20 14:46
VLAI
EPSS
VEX
Title
NextGEN Gallery - SQL Injection
Summary
NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.
The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | NextGEN Gallery |
Affected:
O , < 4.2.1
(custom)
|
Date Public
2026-05-20 07:28
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T14:30:36.432608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:46:16.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://fr.wordpress.org/plugins/nextgen-gallery/",
"defaultStatus": "unaffected",
"product": "NextGEN Gallery",
"vendor": "awesomemotive",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "O",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-20T07:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\u003c/p\u003e\u003cp\u003eThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause.\u003c/p\u003e"
}
],
"value": "NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\n\n\n\nThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T07:59:31.182Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2026-42"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NextGEN Gallery - SQL Injection",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2026-9059",
"datePublished": "2026-05-20T07:41:28.135Z",
"dateReserved": "2026-05-20T06:51:03.927Z",
"dateUpdated": "2026-05-20T14:46:16.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9059 (GCVE-0-2026-9059)
Vulnerability from cvelistv5 – Published: 2026-05-20 07:41 – Updated: 2026-05-20 14:46
VLAI
EPSS
VEX
Title
NextGEN Gallery - SQL Injection
Summary
NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.
The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | NextGEN Gallery |
Affected:
O , < 4.2.1
(custom)
|
Date Public
2026-05-20 07:28
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T14:30:36.432608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:46:16.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://fr.wordpress.org/plugins/nextgen-gallery/",
"defaultStatus": "unaffected",
"product": "NextGEN Gallery",
"vendor": "awesomemotive",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "O",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-20T07:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\u003c/p\u003e\u003cp\u003eThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause.\u003c/p\u003e"
}
],
"value": "NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\n\n\n\nThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T07:59:31.182Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2026-42"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NextGEN Gallery - SQL Injection",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2026-9059",
"datePublished": "2026-05-20T07:41:28.135Z",
"dateReserved": "2026-05-20T06:51:03.927Z",
"dateUpdated": "2026-05-20T14:46:16.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}