CVE-2026-44204

Severity CVSS v4.0:

Pending analysis

Type:

CWE-20 Input Validation

Publication date:

12/05/2026

Last modified:

14/05/2026

Description

Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role) to execute arbitrary SQL and read data from any table in the database, including data belonging to other organizations. This vulnerability is fixed in 1.20.1.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.50 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x

6.50

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://github.com/Shelf-nu/shelf.nu/commit/5d35c15856dbf267fab4dccafd077ee7a6fa6f40
https://github.com/Shelf-nu/shelf.nu/security/advisories/GHSA-69xv-wmgg-3qp3
https://github.com/Shelf-nu/shelf.nu/security/advisories/GHSA-69xv-wmgg-3qp3