Critical severityNVD Advisory· Published May 20, 2026· Updated May 20, 2026
CVE-2026-9059
CVE-2026-9059
Description
NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.
The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <4.2.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.