CVE-2026-9059

CVE-2026-9059 is a critical-severity vulnerability with a CVSS 4.0 base score of 9.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-89.

Key facts

Description

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.

Frequently asked questions

What is CVE-2026-9059?
NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.
How severe is CVE-2026-9059?
CVE-2026-9059 has a CVSS 4.0 base score of 9.3, rated critical severity.
Is CVE-2026-9059 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (21st percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-9059?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2026-9059 have an EU (EUVD) identifier?
Yes. CVE-2026-9059 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-31073.
When was CVE-2026-9059 published?
CVE-2026-9059 was published on 2026-05-20 and last updated on 2026-06-17.

References

Other CWE-89 (SQL Injection) vulnerabilities

Browse all CWE-89 (SQL Injection) vulnerabilities →