CVE-2026-9059

Vulnerability

NextGEN Gallery versions prior to 4.2.1 are vulnerable to authenticated SQL injection via the orderby parameter on the REST API endpoints /imagely/v1/galleries and /imagely/v1/albums. The root cause is an insufficient sanitization function _clean_column() in the data mapper layer that uses a character blacklist instead of a whitelist approach, allowing an attacker to inject arbitrary SQL into the ORDER BY clause [1].

Exploitation

An attacker must be authenticated with the 'NextGEN Gallery overview' capability, which is assigned to the Administrator role by default. The attacker sends a crafted request to the affected REST API endpoints with a malicious orderby parameter value that bypasses the blacklist-based filter. The injection occurs in the ORDER BY clause of the SQL query [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands in the database context. This can lead to information disclosure of sensitive data, data modification, or complete compromise of the WordPress installation depending on database permissions [1].

Mitigation

Upgrade to NextGEN Gallery version 4.2.1 or later, which fixes the vulnerability. Tenable disclosed the issue on April 7, 2026, and the vendor released the patched version prior to the public advisory on May 19, 2026 [1].