CVE-2026-9059

Deferred Deferred - Pending Action

Authenticated SQL Injection in NextGEN Gallery

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Tenable Network Security, Inc.

Description

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-20

Last Modified

2026-05-20

Generated

2026-06-10

AI Q&A

2026-05-20

EPSS Evaluated

2026-06-08

NVD

CVE-2026-9059

EUVD

EUVD-2026-31073

Affected Vendors & Products

Vendor	Product	Version / Range
imagely	nextgen_gallery	to 4.2.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-9059 is an authenticated SQL injection vulnerability in NextGEN Gallery versions prior to 4.2.1. It occurs in the 'orderby' parameter of the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.

The root cause is an insufficient sanitization function called '_clean_column()' that uses a character blacklist instead of a safer whitelist approach. This flaw allows an authenticated attacker with the 'NextGEN Gallery overview' capability (usually assigned to administrators) to inject arbitrary SQL code into the 'ORDER BY' clause of database queries.

Impact Analysis

This vulnerability can have a high impact on the confidentiality and integrity of your data. An attacker with the required permissions can execute arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or disruption of database operations.

Because the attacker must be authenticated with elevated privileges, the risk is limited to users with the 'NextGEN Gallery overview' capability, but the impact remains severe if exploited.

Detection Guidance

This vulnerability exists in the 'orderby' parameter of the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums' in NextGEN Gallery versions prior to 4.2.1. Detection involves verifying if these endpoints are accessible and if the 'orderby' parameter is vulnerable to SQL injection when used by an authenticated user with the 'NextGEN Gallery overview' capability.

Since the vulnerability requires authentication and specific capabilities, detection commands would typically involve sending crafted HTTP requests to these endpoints with manipulated 'orderby' parameters to test for SQL injection behavior.

Use curl or similar tools to send authenticated requests to '/imagely/v1/galleries' or '/imagely/v1/albums' with payloads in the 'orderby' parameter designed to trigger SQL errors or unexpected behavior.
Example curl command (replace placeholders with actual values):
curl -X GET 'https://your-site.com/wp-json/imagely/v1/galleries?orderby=1%20OR%201=1' -H 'Authorization: Bearer <token>'
Monitor the response for SQL errors or abnormal data indicating injection.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade NextGEN Gallery to version 4.2.1 or later, where the vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums' to trusted users only, especially limiting users with the 'NextGEN Gallery overview' capability.

Additionally, monitor and audit API usage for suspicious activity involving the 'orderby' parameter.

Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-9059. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-9059

Authenticated SQL Injection in NextGEN Gallery

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart