Shynet 0.14.0より前のバージョンでは、パスワードリセットフローにおけるHostヘッダーインジェクションが可能です。

The Host header injection vulnerability in Shynet allows attackers to control the Host header field in HTTP requests. During the password reset flow, this can be exploited to redirect users to a malicious website that mimics the legitimate Shynet login page. Attackers could then steal user credentials through phishing. Successful exploitation requires an attacker to trigger the password reset functionality, but the impact can be significant, leading to account compromise and potential data breaches. The blast radius extends to any user who relies on Shynet's password reset mechanism and is tricked into entering their credentials on a fake site.

Organizations and individuals using Shynet versions 0.0 through 0.14.0 are at risk. This includes deployments in development, testing, and production environments. Shared hosting environments where Shynet is installed could also be impacted if the host does not implement adequate security measures.

• python / server:

# Check for vulnerable Shynet versions
python -c 'import shynet; print(shynet.__version__)'

• generic web:

# Check for password reset endpoints and attempt Host header manipulation
curl -H "Host: attacker.com" https://your-shynet-instance/password/reset

1. 2026-04-03Disclosure

   disclosure

1. 予約済み2026-04-03
2. 公開日2026-04-03
3. EPSS 更新日2026-04-10

The primary mitigation for CVE-2026-35507 is to upgrade Shynet to version 0.14.0 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests with suspicious Host headers. Specifically, look for Host headers that contain unexpected characters or domain names. Additionally, carefully review Shynet's configuration to ensure that the password reset functionality is not exposed to untrusted networks. After upgrading, confirm the fix by attempting a password reset and verifying that the redirection URL is as expected.