Description
NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.



The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.
Published: 2026-05-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated SQL injection flaw exists in NextGEN Gallery versions prior to 4.2.1. The vulnerability is triggered by manipulating the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. Because the data mapper layer uses a blacklist sanitization for the ORDER BY clause, an attacker who can authenticate with the 'NextGEN Gallery overview' capability—normally assigned to the Administrator role—can inject arbitrary SQL and potentially read, modify, or delete data stored in the underlying database.

Affected Systems

The affected product is NextGEN Gallery from awesomemotive. All releases before version 4.2.1 are vulnerable; a user with administrator‑level permissions and the overview capability can exploit the flaw.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical impact, and although no EPSS score is available, the requirement for authenticated administrators reduces the breadth of attack vectors but does not eliminate the threat. The flaw is not listed in the CISA KEV catalog. An attacker would need web access to the REST API and sufficient privileges to submit the malicious 'orderby' value. Once exploited, the attacker can gain full data exfiltration or tampering capabilities.

Generated by OpenCVE AI on May 20, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NextGEN Gallery to version 4.2.1 or later, which contains the fixed sanitization logic.
  • Restrict the 'NextGEN Gallery overview' capability to a minimum set of trusted users and avoid giving it to non‑administrators.
  • Configure network or application firewall rules to limit access to the /imagely/v1/* API endpoints to trusted IP ranges or authenticated users only.

Generated by OpenCVE AI on May 20, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Awesomemotive
Awesomemotive nextgen Gallery
Wordpress
Wordpress wordpress
Vendors & Products Awesomemotive
Awesomemotive nextgen Gallery
Wordpress
Wordpress wordpress

Wed, 20 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.
Title NextGEN Gallery - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Awesomemotive Nextgen Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-20T14:46:16.064Z

Reserved: 2026-05-20T06:51:03.927Z

Link: CVE-2026-9059

cve-icon Vulnrichment

Updated: 2026-05-20T14:46:10.523Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T09:16:27.020

Modified: 2026-05-20T14:01:24.027

Link: CVE-2026-9059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:37:51Z

Weaknesses