Platform
python
Component
shynet
Fixed in
0.14.0
CVE-2026-35508 describes a cross-site scripting (XSS) vulnerability discovered in Shynet versions 0.0 through 0.14.0. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft or session hijacking. The vulnerability stems from improper handling of user-supplied data within the urldisplay and iconify template filters. A patch is available in version 0.14.0.
The XSS vulnerability in Shynet allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal sensitive information, such as cookies and session tokens, which can then be used to impersonate the user. Attackers could also redirect users to malicious websites, deface the application, or inject malware. The impact is amplified if Shynet is used in a high-traffic application or handles sensitive user data, as a successful attack could affect a large number of users. While no specific real-world exploits have been publicly reported for this vulnerability, XSS vulnerabilities are consistently among the most common attack vectors.
CVE-2026-35508 was publicly disclosed on 2026-04-03. There is no indication of this vulnerability being actively exploited in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, but the nature of XSS vulnerabilities means that it is likely a PoC will be developed in the near future.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35508 is to upgrade Shynet to version 0.14.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data used in the urldisplay and iconify template filters. Additionally, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update your WAF rules to ensure they are effective against the latest XSS techniques.
Update Shynet to version 0.14.0 or higher. This version fixes the XSS vulnerabilities in the urldisplay and iconify template filters. The update can be performed via pip: `pip install --upgrade shynet`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35508 is a cross-site scripting (XSS) vulnerability affecting Shynet versions 0.0 to 0.14.0, allowing attackers to inject malicious scripts via template filters.
If you are using Shynet versions 0.0 through 0.14.0, you are potentially affected by this vulnerability. Check your version and upgrade if necessary.
Upgrade Shynet to version 0.14.0 or later to resolve the XSS vulnerability. Consider input validation and output encoding as a temporary mitigation.
There is currently no public evidence of CVE-2026-35508 being actively exploited in the wild, but XSS vulnerabilities are commonly targeted.
Refer to the Shynet project's official release notes and security advisories for details on this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.