Description
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. Attackers can send GET requests to gal.php with malicious gal_id values to extract sensitive database information or modify database contents.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure and Modification via Unauthenticated SQL Injection
Action: Apply Patch
AI Analysis

Impact

The flaw in XooGallery allows unprivileged users to inject SQL code by manipulating the gal_id parameter in a URL. The injection is not sanitized and can be used to read confidential database entries or to alter or delete data. The weakness is a classic SQL Injection (CWE‑89).

Affected Systems

XooGallery, a content management system from Xooscripts, is affected. The vulnerability is documented for the generic product without specifying a particular version, indicating that recent public releases are at risk. Any installation that exposes gal.php to external traffic is susceptible.

Risk and Exploitability

The CVSS score of 8.8 places the vulnerability in the high severity range, showing that full data compromise is possible. The EPSS score of less than 1% suggests that exploitation is currently unlikely in the wild, and the vulnerability is not in the CISA KEV catalog. The attack vector is inferred to be network-based via HTTP GET requests, requiring no authentication.

Generated by OpenCVE AI on March 23, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XooGallery to the latest patched release from Xooscripts as soon as possible.
  • If an upgrade cannot be performed immediately, restrict access to gal.php to trusted IP addresses only or place the page behind a firewall that limits inbound traffic.
  • Add server‑side input validation or sanitization to the gal_id parameter to block malformed requests.
  • Regularly review database logs for unusual queries that indicate attempted SQL injection activity.

Generated by OpenCVE AI on March 23, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xooscripts:xoogallery:-:*:*:*:*:*:*:*

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Xooscripts
Xooscripts xoogallery
Vendors & Products Xooscripts
Xooscripts xoogallery

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. Attackers can send GET requests to gal.php with malicious gal_id values to extract sensitive database information or modify database contents.
Title XooGallery Lastest Latest SQL Injection via gal.php gal_id
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xooscripts Xoogallery
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:45:42.053Z

Reserved: 2026-03-12T13:54:38.788Z

Link: CVE-2019-25521

cve-icon Vulnrichment

Updated: 2026-03-12T16:45:30.136Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:05.147

Modified: 2026-03-23T13:43:51.973

Link: CVE-2019-25521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:51Z

Weaknesses