Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
Shynet before 0.14.0 allows Host header injection in the password reset flow.
AnalysisAI
Host header injection in Shynet before 0.14.0 allows unauthenticated remote attackers to manipulate password reset functionality through crafted HTTP Host headers, enabling account hijacking and unauthorized access via email-based password reset flows. The vulnerability requires user interaction (clicking a reset link) and carries a CVSS score of 6.4 with confirmed patch availability in version 0.14.0.
Technical ContextAI
Shynet is a privacy-respecting analytics platform written in Python/Django. The vulnerability stems from improper validation of the HTTP Host header in the password reset flow (CWE-348: Exposure of Sensitive Information to an Unauthorized Actor). When generating password reset emails, the application constructs reset links using the Host header without sufficient validation, allowing an attacker to inject arbitrary hostnames. This enables an attacker to craft a malicious reset link pointing to their controlled server, intercepting the password reset token when a victim clicks the link. The affected product range includes all versions prior to 0.14.0, identified via CPE cpe:2.3:a:milesmcc:shynet:*:*:*:*:*:*:*:*.
RemediationAI
The primary remediation is to upgrade Shynet to version 0.14.0 or later, which includes the upstream fix published in PR #345 that properly validates the Host header in password reset flows. Organizations unable to immediately upgrade should implement network controls to restrict password reset functionality to authenticated sessions only, or disable password reset features temporarily if not critical to operations. The fix is available from the official Shynet GitHub repository at https://github.com/milesmcc/shynet/pull/345 and the release page at https://github.com/milesmcc/shynet/releases/tag/v0.14.0. After patching, administrators should audit password reset logs and any suspicious authentication activity during the window the vulnerability was present.
Same weakness CWE-348 – Use of Less Trusted Source
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18566
GHSA-hvm7-86pv-v2p2