PT-2026-42122 · WordPress · Nextgen Gallery

Published

2026-05-20

·

Updated

2026-05-20

·

CVE-2026-9059

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions NextGEN Gallery versions prior to 4.2.1
Description Authenticated users with the 'NextGEN Gallery overview' capability, typically assigned to the Administrator role, can perform SQL injection by sending arbitrary SQL into the 'ORDER BY' clause. This occurs due to the clean column() function in the data mapper layer using a character blacklist instead of a whitelist for sanitization. The issue affects the orderby parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.
Recommendations Update to version 4.2.1 or later. As a temporary workaround, restrict access to the '/imagely/v1/galleries' and '/imagely/v1/albums' endpoints or avoid using the orderby parameter until the update is applied.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9059

Affected Products

Nextgen Gallery