Skip to main content

Shynet CVE-2026-35508

| EUVDEUVD-2026-18568 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 mitre GHSA-92xp-7pvg-5vqp
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.14.0
EUVD ID Assigned
Apr 03, 2026 - 01:45 euvd
EUVD-2026-18568
Analysis Generated
Apr 03, 2026 - 01:45 vuln.today
CVE Published
Apr 03, 2026 - 01:13 nvd
MEDIUM 5.4

DescriptionCVE.org

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,

AnalysisAI

Cross-site scripting (XSS) in Shynet before version 0.14.0 allows unauthenticated remote attackers to inject arbitrary scripts through the urldisplay and iconify template filters, potentially compromising user sessions and data integrity with medium attack complexity and cross-site scope. The vulnerability affects the analytics platform's template rendering layer and has been patched in version 0.14.0 with no confirmed active exploitation reported.

Technical ContextAI

Shynet is a privacy-focused analytics platform that uses Django template filters for processing and displaying data. The vulnerability exists in two template filters-urldisplay and iconify-which fail to properly sanitize or escape user-controlled input before rendering it in HTML contexts. This is a reflected or stored XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation) where untrusted data is inserted into template output without adequate HTML entity encoding or context-appropriate escaping. The template filters are commonly used in analytics dashboards to format URLs and display icons, making them accessible to any user viewing analytics pages.

RemediationAI

Vendor-released patch: Upgrade Shynet to version 0.14.0 or later. This patch addresses the XSS vulnerabilities in the urldisplay and iconify template filters by implementing proper input sanitization and output encoding. Users should update their installations immediately via the official GitHub repository at https://github.com/milesmcc/shynet. Verify the update by checking the installed version matches 0.14.0 or higher. No known workarounds are available for earlier versions other than disabling the affected template filters if operationally feasible, though this is not recommended as a permanent solution.

Share

CVE-2026-35508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy