[CRITICAL] CVE-2026-9059 — CVSS 9.3 (May 20, 2026)

A CRITICAL-severity vulnerability identified as CVE-2026-9059 has been published on May 20, 2026 with a CVSS base score of 9.3. This security advisory provides a detailed breakdown of the vulnerability, its potential impact, weakness classification, and actionable steps to protect your systems.

Vulnerability Details

CVE ID: CVE-2026-9059
Severity: CRITICAL
CVSS Score: 9.3
Published: May 20, 2026
Weakness (CWE): CWE-89

Technical Description

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause.

Potential Impact

If exploited, this critical-severity vulnerability could allow an attacker to cause significant damage to affected systems. Organizations running affected software should treat this as a priority remediation item.

Recommended Action

No official patch is available yet. Until one is released:

1. Monitor the official NVD page and vendor channels for patch announcements.
2. Restrict access to the affected system or service where possible.
3. Apply network-level mitigations such as firewall rules or WAF policies.
4. Enable logging and alerting for anomalous activity related to this vulnerability.
5. Review your incident response plan in case of active exploitation.

View full details on NVD →

References

• Reference 1

Related Security Advisories

• [HIGH] CVE-2026-2993 — CVSS 7.5 (May 12, 2026) — HIGH / CVSS 7.5
• [HIGH] CVE-2026-3359 — CVSS 7.5 (May 5, 2026) — HIGH / CVSS 7.5
• [CRITICAL] CVE-2026-5229 — CVSS 9.8 (May 15, 2026) — CRITICAL / CVSS 9.8