Plataforma
python
Componente
shynet
Corrigido em
0.14.0
A vulnerabilidade CVE-2026-35507 permite a injeção de Host header no fluxo de redefinição de senha do Shynet. Isso pode permitir que um atacante redirecione usuários para sites maliciosos ou execute outras ações não autorizadas. Afeta versões do Shynet anteriores à 0.14.0. A correção está disponível na versão 0.14.0.
The Host header injection vulnerability in Shynet allows attackers to control the Host header field in HTTP requests. During the password reset flow, this can be exploited to redirect users to a malicious website that mimics the legitimate Shynet login page. Attackers could then steal user credentials through phishing. Successful exploitation requires an attacker to trigger the password reset functionality, but the impact can be significant, leading to account compromise and potential data breaches. The blast radius extends to any user who relies on Shynet's password reset mechanism and is tricked into entering their credentials on a fake site.
CVE-2026-35507 was publicly disclosed on 2026-04-03. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.
Organizations and individuals using Shynet versions 0.0 through 0.14.0 are at risk. This includes deployments in development, testing, and production environments. Shared hosting environments where Shynet is installed could also be impacted if the host does not implement adequate security measures.
• python / server:
# Check for vulnerable Shynet versions
python -c 'import shynet; print(shynet.__version__)'• generic web:
# Check for password reset endpoints and attempt Host header manipulation
curl -H "Host: attacker.com" https://your-shynet-instance/password/resetdisclosure
Status do Exploit
EPSS
0.01% (percentil 3%)
CISA SSVC
The primary mitigation for CVE-2026-35507 is to upgrade Shynet to version 0.14.0 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests with suspicious Host headers. Specifically, look for Host headers that contain unexpected characters or domain names. Additionally, carefully review Shynet's configuration to ensure that the password reset functionality is not exposed to untrusted networks. After upgrading, confirm the fix by attempting a password reset and verifying that the redirection URL is as expected.
Actualice Shynet a la versión 0.14.0 o superior. Esta versión corrige la vulnerabilidad de inyección de encabezado Host en el flujo de restablecimiento de contraseña.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
A CVE-2026-35507 é uma falha de segurança no Shynet que permite a injeção de Host header durante o processo de redefinição de senha, potencialmente permitindo ataques de phishing ou redirecionamento.
Você é afetado se estiver utilizando uma versão do Shynet anterior à 0.14.0. Verifique a versão do seu Shynet para determinar se a atualização é necessária.
A correção para a CVE-2026-35507 está disponível na versão 0.14.0 do Shynet. Atualize para esta versão ou posterior para mitigar o risco.
Vetor CVSS
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.