CVE-2026-44204

Source
https://cve.org/CVERecord?id=CVE-2026-44204
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44204.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44204
Aliases
  • GHSA-69xv-wmgg-3qp3
Published
2026-05-12T17:45:58.504Z
Modified
2026-07-15T01:49:11.059044783Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Shelf: SQL Injection via sortBy Parameter
Details

Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role) to execute arbitrary SQL and read data from any table in the database, including data belonging to other organizations. This vulnerability is fixed in 1.20.1.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44204.json",
    "cwe_ids": [
        "CWE-20",
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/shelf-nu/shelf.nu

Affected ranges

Type
GIT
Repo
https://github.com/shelf-nu/shelf.nu
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "1.12"
        },
        {
            "fixed": "1.20.1"
        }
    ]
}

Affected versions

shelf@1.*
shelf@1.12
shelf@1.12.1
shelf@1.12.2
shelf@1.12.3
shelf@1.12.4
shelf@1.12.5
shelf@1.12.6
shelf@1.13.0
shelf@1.13.1
shelf@1.14.0
shelf@1.14.1
shelf@1.14.2
shelf@1.14.3
shelf@1.15.0
shelf@1.15.1
shelf@1.16.0
shelf@1.16.1
shelf@1.16.2
shelf@1.16.3
shelf@1.16.4
shelf@1.17.0
shelf@1.17.1
shelf@1.17.2
shelf@1.18.0
shelf@1.18.1
shelf@1.18.2
shelf@1.18.3
shelf@1.18.4
shelf@1.18.5
shelf@1.18.6
shelf@1.19.0
shelf@1.20.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44204.json"