CVE-2026-9059 (GCVE-0-2026-9059)
Vulnerability from cvelistv5 – Published: 2026-05-20 07:41 – Updated: 2026-05-20 14:46
VLAI
Title
NextGEN Gallery - SQL Injection
Summary
NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.
The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.
Severity
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | NextGEN Gallery |
Affected:
O , < 4.2.1
(custom)
|
Date Public
2026-05-20 07:28
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T14:30:36.432608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:46:16.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://fr.wordpress.org/plugins/nextgen-gallery/",
"defaultStatus": "unaffected",
"product": "NextGEN Gallery",
"vendor": "awesomemotive",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "O",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-20T07:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\u003c/p\u003e\u003cp\u003eThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause.\u003c/p\u003e"
}
],
"value": "NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\n\n\n\nThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T07:59:31.182Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2026-42"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NextGEN Gallery - SQL Injection",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2026-9059",
"datePublished": "2026-05-20T07:41:28.135Z",
"dateReserved": "2026-05-20T06:51:03.927Z",
"dateUpdated": "2026-05-20T14:46:16.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-9059",
"date": "2026-05-27",
"epss": "0.00036",
"percentile": "0.1107"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-9059\",\"sourceIdentifier\":\"vulnreport@tenable.com\",\"published\":\"2026-05-20T09:16:27.020\",\"lastModified\":\"2026-05-20T14:01:24.027\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\\n\\n\\n\\nThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"vulnreport@tenable.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"vulnreport@tenable.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://www.tenable.com/security/research/tra-2026-42\",\"source\":\"vulnreport@tenable.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-9059\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-20T14:30:36.432608Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-20T14:46:10.523Z\"}}], \"cna\": {\"title\": \"NextGEN Gallery - SQL Injection\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"awesomemotive\", \"product\": \"NextGEN Gallery\", \"versions\": [{\"status\": \"affected\", \"version\": \"O\", \"lessThan\": \"4.2.1\", \"versionType\": \"custom\"}], \"collectionURL\": \"https://fr.wordpress.org/plugins/nextgen-gallery/\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-05-20T07:28:00.000Z\", \"references\": [{\"url\": \"https://www.tenable.com/security/research/tra-2026-42\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\\n\\n\\n\\nThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eNextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the \u0027orderby\u0027 parameter on the REST API endpoints \u0027/imagely/v1/galleries\u0027 and \u0027/imagely/v1/albums\u0027.\u003c/p\u003e\u003cp\u003eThe root cause is an insufficient sanitization function (\u0027_clean_column()\u0027) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the \u0027NextGEN Gallery overview\u0027 capability (assigned to the Administrator role by default) to inject arbitrary SQL into the \u0027ORDER BY\u0027 clause.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"5ac1ecc2-367a-4d16-a0b2-35d495ddd0be\", \"shortName\": \"tenable\", \"dateUpdated\": \"2026-05-20T07:59:31.182Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-9059\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-20T14:46:16.064Z\", \"dateReserved\": \"2026-05-20T06:51:03.927Z\", \"assignerOrgId\": \"5ac1ecc2-367a-4d16-a0b2-35d495ddd0be\", \"datePublished\": \"2026-05-20T07:41:28.135Z\", \"assignerShortName\": \"tenable\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…