CVE-2026-9059
Authenticated SQL Injection in NextGEN Gallery
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagely | nextgen_gallery | to 4.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9059 is an authenticated SQL injection vulnerability in NextGEN Gallery versions prior to 4.2.1. It occurs in the 'orderby' parameter of the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.
The root cause is an insufficient sanitization function called '_clean_column()' that uses a character blacklist instead of a safer whitelist approach. This flaw allows an authenticated attacker with the 'NextGEN Gallery overview' capability (usually assigned to administrators) to inject arbitrary SQL code into the 'ORDER BY' clause of database queries.
How can this vulnerability impact me? :
This vulnerability can have a high impact on the confidentiality and integrity of your data. An attacker with the required permissions can execute arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or disruption of database operations.
Because the attacker must be authenticated with elevated privileges, the risk is limited to users with the 'NextGEN Gallery overview' capability, but the impact remains severe if exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability exists in the 'orderby' parameter of the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums' in NextGEN Gallery versions prior to 4.2.1. Detection involves verifying if these endpoints are accessible and if the 'orderby' parameter is vulnerable to SQL injection when used by an authenticated user with the 'NextGEN Gallery overview' capability.
Since the vulnerability requires authentication and specific capabilities, detection commands would typically involve sending crafted HTTP requests to these endpoints with manipulated 'orderby' parameters to test for SQL injection behavior.
- Use curl or similar tools to send authenticated requests to '/imagely/v1/galleries' or '/imagely/v1/albums' with payloads in the 'orderby' parameter designed to trigger SQL errors or unexpected behavior.
- Example curl command (replace placeholders with actual values):
- curl -X GET 'https://your-site.com/wp-json/imagely/v1/galleries?orderby=1%20OR%201=1' -H 'Authorization: Bearer <token>'
- Monitor the response for SQL errors or abnormal data indicating injection.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade NextGEN Gallery to version 4.2.1 or later, where the vulnerability has been fixed.
Until the upgrade can be applied, restrict access to the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums' to trusted users only, especially limiting users with the 'NextGEN Gallery overview' capability.
Additionally, monitor and audit API usage for suspicious activity involving the 'orderby' parameter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.