diff --git a/_build/build.transport.php b/_build/build.transport.php
index c19422a..3a81fb5 100644
--- a/_build/build.transport.php
+++ b/_build/build.transport.php
@@ -34,7 +34,7 @@
 /* define package */
 define('PKG_NAME','Gallery');
 define('PKG_NAME_LOWER','gallery');
-define('PKG_VERSION','1.7.0');
+define('PKG_VERSION','1.7.1');
 define('PKG_RELEASE','pl');
 
 /* define sources */
diff --git a/_build/config.json b/_build/config.json
index 17df10a..230d9c2 100644
--- a/_build/config.json
+++ b/_build/config.json
@@ -3,7 +3,7 @@
     ,"lowCaseName": "gallery"
     ,"description": "Gallery"
     ,"author": "Shaun McCormick"
-    ,"version": "1.7.0"
+    ,"version": "1.7.1"
     ,"package":{
         "actions": [{
             "id": 1
diff --git a/_packages/gallery-1.7.0-pl.transport.zip b/_packages/gallery-1.7.1-pl.transport.zip
similarity index 65%
rename from _packages/gallery-1.7.0-pl.transport.zip
rename to _packages/gallery-1.7.1-pl.transport.zip
index b89dee2..39c45d6 100644
Binary files a/_packages/gallery-1.7.0-pl.transport.zip and b/_packages/gallery-1.7.1-pl.transport.zip differ
diff --git a/core/components/gallery/docs/changelog.txt b/core/components/gallery/docs/changelog.txt
index a86a429..2f0b723 100755
--- a/core/components/gallery/docs/changelog.txt
+++ b/core/components/gallery/docs/changelog.txt
@@ -1,5 +1,8 @@
 Changelog for Gallery.
 
+Gallery 1.7.1
+====================================
+- Fixed critical vulnerability in phpthumb processor
 - Fixed namespace paths
 
 Gallery 1.7.0
diff --git a/core/components/gallery/processors/web/phpthumb.php b/core/components/gallery/processors/web/phpthumb.php
index 892f1a6..0ced2c6 100644
--- a/core/components/gallery/processors/web/phpthumb.php
+++ b/core/components/gallery/processors/web/phpthumb.php
@@ -25,7 +25,25 @@
 $src = str_replace('+', '%27', urldecode($src));
 
 /* explode tag options */
-$ptOptions = $scriptProperties;
+$ptOptions = array();
+
+// Only public parameters of phpThumb should be allowed to pass from user input.
+// List properties between START PARAMETERS and START PARAMETERS in src/core/model/phpthumb/phpthumb.class.php
+$allowed = array(
+    'src', 'new', 'w', 'h', 'wp', 'hp', 'wl', 'hl', 'ws', 'hs',
+    'f', 'q', 'sx', 'sy', 'sw', 'sh', 'zc', 'bc', 'bg', 'fltr',
+    'goto', 'err', 'xto', 'ra', 'ar', 'aoe', 'far', 'iar', 'maxb', 'down',
+    'md5s', 'sfn', 'dpi', 'sia', 'phpThumbDebug'
+);
+
+/* iterate through properties */
+foreach ($scriptProperties as $property => $value) {
+    if (!in_array($property, $allowed, true)) {
+        $this->modx->log(modX::LOG_LEVEL_WARN, "Detected attempt of using private parameter `$property` (for internal usage) of phpThumb that not allowed and insecure");
+        continue;
+    }
+    $ptOptions[$property] = $value;
+}
 
 if (empty($ptOptions['f'])) {
     $ext = pathinfo($src, PATHINFO_EXTENSION);