Plateforme
python
Composant
shynet
Corrigé dans
0.14.0
CVE-2026-35508 describes a cross-site scripting (XSS) vulnerability discovered in Shynet versions 0.0 through 0.14.0. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft or session hijacking. The vulnerability stems from improper handling of user-supplied data within the urldisplay and iconify template filters. A patch is available in version 0.14.0.
The XSS vulnerability in Shynet allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal sensitive information, such as cookies and session tokens, which can then be used to impersonate the user. Attackers could also redirect users to malicious websites, deface the application, or inject malware. The impact is amplified if Shynet is used in a high-traffic application or handles sensitive user data, as a successful attack could affect a large number of users. While no specific real-world exploits have been publicly reported for this vulnerability, XSS vulnerabilities are consistently among the most common attack vectors.
CVE-2026-35508 was publicly disclosed on 2026-04-03. There is no indication of this vulnerability being actively exploited in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, but the nature of XSS vulnerabilities means that it is likely a PoC will be developed in the near future.
Applications utilizing Shynet versions 0.0 through 0.14.0 are at risk. This includes web applications that rely on Shynet for templating and URL display functionality. Specifically, applications with user-controllable input that is directly rendered by the urldisplay or iconify filters are most vulnerable.
• python / server:
# Check for vulnerable Shynet versions
python -c 'import shynet; print(shynet.__version__)'• generic web:
# Check for suspicious URL parameters in access logs
grep -i 'urldisplay|iconify' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.04% (percentile 12%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-35508 is to upgrade Shynet to version 0.14.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data used in the urldisplay and iconify template filters. Additionally, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update your WAF rules to ensure they are effective against the latest XSS techniques.
Mettez à jour Shynet à la version 0.14.0 ou supérieure. Cette version corrige les vulnérabilités XSS dans les filtres de modèle urldisplay et iconify. La mise à jour peut être effectuée via pip : `pip install --upgrade shynet`.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-35508 is a cross-site scripting (XSS) vulnerability affecting Shynet versions 0.0 to 0.14.0, allowing attackers to inject malicious scripts via template filters.
If you are using Shynet versions 0.0 through 0.14.0, you are potentially affected by this vulnerability. Check your version and upgrade if necessary.
Upgrade Shynet to version 0.14.0 or later to resolve the XSS vulnerability. Consider input validation and output encoding as a temporary mitigation.
There is currently no public evidence of CVE-2026-35508 being actively exploited in the wild, but XSS vulnerabilities are commonly targeted.
Refer to the Shynet project's official release notes and security advisories for details on this vulnerability and the fix.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.