Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,
AnalysisAI
Cross-site scripting (XSS) in Shynet before version 0.14.0 allows unauthenticated remote attackers to inject arbitrary scripts through the urldisplay and iconify template filters, potentially compromising user sessions and data integrity with medium attack complexity and cross-site scope. The vulnerability affects the analytics platform's template rendering layer and has been patched in version 0.14.0 with no confirmed active exploitation reported.
Technical ContextAI
Shynet is a privacy-focused analytics platform that uses Django template filters for processing and displaying data. The vulnerability exists in two template filters-urldisplay and iconify-which fail to properly sanitize or escape user-controlled input before rendering it in HTML contexts. This is a reflected or stored XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation) where untrusted data is inserted into template output without adequate HTML entity encoding or context-appropriate escaping. The template filters are commonly used in analytics dashboards to format URLs and display icons, making them accessible to any user viewing analytics pages.
RemediationAI
Vendor-released patch: Upgrade Shynet to version 0.14.0 or later. This patch addresses the XSS vulnerabilities in the urldisplay and iconify template filters by implementing proper input sanitization and output encoding. Users should update their installations immediately via the official GitHub repository at https://github.com/milesmcc/shynet. Verify the update by checking the installed version matches 0.14.0 or higher. No known workarounds are available for earlier versions other than disabling the affected template filters if operationally feasible, though this is not recommended as a permanent solution.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18568
GHSA-92xp-7pvg-5vqp