CVE-2026-44425

5.4 MEDIUM

ShellHub is a centralized SSH gateway

Published: 2026-05-13 · Last updated: 2026-05-18

Severity and scoring

CVSS: 5.4 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
CWE: CWE-1333, CWE-20, CWE-943

Affected products

Vendor	Product
shellhub	shellhub

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44425
[Vendor advisory]https://github.com/shellhub-io/shellhub/security/advisories/GHSA-47r2-v3x6-wff9

Related CVEs

Same vendor

CVE-2026-44424 — ShellHub is a centralized SSH gateway (6.5 MEDIUM)

Same CWE

CVE-2026-45329 — ESF-IDF is the Espressif Internet of Things (IOT) Development Framework (7.1 HIGH)
CVE-2026-45328 — ESF-IDF is the Espressif Internet of Things (IOT) Development Framework (9.3 CRITICAL)
CVE-2026-53674 — BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibilit... (7.1 HIGH)
CVE-2026-41727 — Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them (6.5 MEDIUM)
CVE-2026-41697 — Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING,... (4.8 MEDIUM)