Description
Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role) to execute arbitrary SQL and read data from any table in the database, including data belonging to other organizations. This vulnerability is fixed in 1.20.1.
Published: 2026-05-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Shelf is a platform for tracking physical assets. A SQL injection flaw (CWE‑89) involving unvalidated input (CWE‑20) was discovered in the sortBy query parameter on the /assets route, which allows any authenticated user—regardless of role—to execute arbitrary SQL statements. The attacker can read data from any database table, including sensitive data belonging to other organizations, thereby compromising confidentiality.

Affected Systems

The vulnerability exists in Shelf versions from 1.12 up through 1.20.0. It affects installations of the Shelf‑nu product distributed by the Shelf‑nu vendor. The defect was fixed in the 1.20.1 release, so any deployment on 1.20.1 or later is not susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and no EPSS score is available, which limits insight into real‑world exploitation probability. Because the flaw requires authentication, an attacker needs an active user session, but no role restrictions prevent access to all tables. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation has been confirmed, yet it still presents a significant confidentiality risk for authenticated users.

Generated by OpenCVE AI on May 12, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shelf to version 1.20.1 or later to receive the security fix.
  • If an upgrade is not immediately possible, restrict or temporarily block the /assets endpoint for non‑administrative roles while monitoring for abuse.
  • Implement input validation on the sortBy parameter: allow only whitelisted column names and sort directions; reject or sanitize all other values.

Generated by OpenCVE AI on May 12, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Shelf-nu
Shelf-nu shelf.nu
Vendors & Products Shelf-nu
Shelf-nu shelf.nu

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role) to execute arbitrary SQL and read data from any table in the database, including data belonging to other organizations. This vulnerability is fixed in 1.20.1.
Title Shelf: SQL Injection via sortBy Parameter
Weaknesses CWE-20
CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Shelf-nu Shelf.nu
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:22:50.149Z

Reserved: 2026-05-05T15:13:47.571Z

Link: CVE-2026-44204

cve-icon Vulnrichment

Updated: 2026-05-14T12:22:39.763Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:17:29.883

Modified: 2026-05-14T13:16:18.993

Link: CVE-2026-44204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:52Z

Weaknesses