CVE-2026-44425
ShellHub: Crash-DoS via field injection in filter and sort-by parameters
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2.
| CWE | CWE-20 CWE-943 CWE-1333 |
| Vendor | shellhub-io |
| Product | shellhub |
| Published | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for shellhub-io shellhub
Be the first to know when new medium vulnerabilities affecting shellhub-io shellhub are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low
Affected Versions
shellhub-io / shellhub
< 0.24.2