CVE-2026-44425
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
13/05/2026
Last modified:
18/05/2026
Description
ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2.
Impact
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:shellhub:shellhub:*:*:*:*:*:*:*:* | 0.24.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



