Platform
python
Component
shynet
Fixed in
0.14.0
CVE-2026-35507 describes a Host header injection vulnerability discovered in Shynet versions 0.0 through 0.14.0. This flaw allows an attacker to manipulate the Host header during the password reset process, potentially redirecting users to malicious sites or performing other unauthorized actions. A patch is available in version 0.14.0, addressing this security concern.
The Host header injection vulnerability in Shynet allows attackers to control the Host header field in HTTP requests. During the password reset flow, this can be exploited to redirect users to a malicious website that mimics the legitimate Shynet login page. Attackers could then steal user credentials through phishing. Successful exploitation requires an attacker to trigger the password reset functionality, but the impact can be significant, leading to account compromise and potential data breaches. The blast radius extends to any user who relies on Shynet's password reset mechanism and is tricked into entering their credentials on a fake site.
CVE-2026-35507 was publicly disclosed on 2026-04-03. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35507 is to upgrade Shynet to version 0.14.0 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests with suspicious Host headers. Specifically, look for Host headers that contain unexpected characters or domain names. Additionally, carefully review Shynet's configuration to ensure that the password reset functionality is not exposed to untrusted networks. After upgrading, confirm the fix by attempting a password reset and verifying that the redirection URL is as expected.
Update Shynet to version 0.14.0 or higher. This version fixes the Host header injection vulnerability in the password reset flow.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35507 is a medium severity vulnerability in Shynet versions 0.0-0.14.0 that allows attackers to inject malicious Host headers during the password reset process, potentially leading to phishing attacks.
You are affected if you are using Shynet versions 0.0 through 0.14.0. Upgrade to version 0.14.0 or later to mitigate the risk.
Upgrade Shynet to version 0.14.0 or later. As a temporary workaround, implement a WAF rule to filter suspicious Host headers.
There is currently no indication of active exploitation campaigns targeting CVE-2026-35507.
Refer to the Shynet project's official communication channels (e.g., GitHub repository, mailing list) for the advisory related to CVE-2026-35507.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.