PatchSiren

awesomemotive CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL awesomemotive CVE published 2026-05-20

CVE-2026-9059

CVE-2026-9059 is a critical authenticated SQL injection vulnerability in NextGEN Gallery versions prior to 4.2.1. The flaw exists in the REST API endpoints `/imagely/v1/galleries` and `/imagely/v1/albums`, where the `orderby` parameter is insufficiently sanitized by a `_clean_column()` function that employs a blacklist-based approach rather than a whitelist. An attacker with the 'NextGEN Gallery overview' [truncated]