Skip to main content

Shynet CVE-2026-35507

| EUVDEUVD-2026-18566 MEDIUM
Use of Less Trusted Source (CWE-348)
2026-04-03 mitre GHSA-hvm7-86pv-v2p2
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.14.0
EUVD ID Assigned
Apr 03, 2026 - 01:45 euvd
EUVD-2026-18566
Analysis Generated
Apr 03, 2026 - 01:45 vuln.today
CVE Published
Apr 03, 2026 - 01:00 nvd
MEDIUM 6.4

DescriptionCVE.org

Shynet before 0.14.0 allows Host header injection in the password reset flow.

AnalysisAI

Host header injection in Shynet before 0.14.0 allows unauthenticated remote attackers to manipulate password reset functionality through crafted HTTP Host headers, enabling account hijacking and unauthorized access via email-based password reset flows. The vulnerability requires user interaction (clicking a reset link) and carries a CVSS score of 6.4 with confirmed patch availability in version 0.14.0.

Technical ContextAI

Shynet is a privacy-respecting analytics platform written in Python/Django. The vulnerability stems from improper validation of the HTTP Host header in the password reset flow (CWE-348: Exposure of Sensitive Information to an Unauthorized Actor). When generating password reset emails, the application constructs reset links using the Host header without sufficient validation, allowing an attacker to inject arbitrary hostnames. This enables an attacker to craft a malicious reset link pointing to their controlled server, intercepting the password reset token when a victim clicks the link. The affected product range includes all versions prior to 0.14.0, identified via CPE cpe:2.3:a:milesmcc:shynet:*:*:*:*:*:*:*:*.

RemediationAI

The primary remediation is to upgrade Shynet to version 0.14.0 or later, which includes the upstream fix published in PR #345 that properly validates the Host header in password reset flows. Organizations unable to immediately upgrade should implement network controls to restrict password reset functionality to authenticated sessions only, or disable password reset features temporarily if not critical to operations. The fix is available from the official Shynet GitHub repository at https://github.com/milesmcc/shynet/pull/345 and the release page at https://github.com/milesmcc/shynet/releases/tag/v0.14.0. After patching, administrators should audit password reset logs and any suspicious authentication activity during the window the vulnerability was present.

Share

CVE-2026-35507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy