Plataforma
python
Componente
shynet
Corrigido em
0.14.0
CVE-2026-35508 é uma vulnerabilidade de Cross-Site Scripting (XSS) presente no Shynet. Essa falha permite que atacantes injetem scripts maliciosos no navegador de usuários, comprometendo a segurança e a integridade da aplicação. Afeta versões 0 a 0.14.0 do Shynet. A vulnerabilidade foi corrigida na versão 0.14.0.
The XSS vulnerability in Shynet allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal sensitive information, such as cookies and session tokens, which can then be used to impersonate the user. Attackers could also redirect users to malicious websites, deface the application, or inject malware. The impact is amplified if Shynet is used in a high-traffic application or handles sensitive user data, as a successful attack could affect a large number of users. While no specific real-world exploits have been publicly reported for this vulnerability, XSS vulnerabilities are consistently among the most common attack vectors.
CVE-2026-35508 was publicly disclosed on 2026-04-03. There is no indication of this vulnerability being actively exploited in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, but the nature of XSS vulnerabilities means that it is likely a PoC will be developed in the near future.
Applications utilizing Shynet versions 0.0 through 0.14.0 are at risk. This includes web applications that rely on Shynet for templating and URL display functionality. Specifically, applications with user-controllable input that is directly rendered by the urldisplay or iconify filters are most vulnerable.
• python / server:
# Check for vulnerable Shynet versions
python -c 'import shynet; print(shynet.__version__)'• generic web:
# Check for suspicious URL parameters in access logs
grep -i 'urldisplay|iconify' /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.04% (percentil 12%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-35508 is to upgrade Shynet to version 0.14.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data used in the urldisplay and iconify template filters. Additionally, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update your WAF rules to ensure they are effective against the latest XSS techniques.
Actualice Shynet a la versión 0.14.0 o superior. Esta versión corrige las vulnerabilidades XSS en los filtros de plantilla urldisplay e iconify. La actualización se puede realizar a través de pip: `pip install --upgrade shynet`.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-35508 is a cross-site scripting (XSS) vulnerability affecting Shynet versions 0.0 to 0.14.0, allowing attackers to inject malicious scripts via template filters.
If you are using Shynet versions 0.0 through 0.14.0, you are potentially affected by this vulnerability. Check your version and upgrade if necessary.
Upgrade Shynet to version 0.14.0 or later to resolve the XSS vulnerability. Consider input validation and output encoding as a temporary mitigation.
There is currently no public evidence of CVE-2026-35508 being actively exploited in the wild, but XSS vulnerabilities are commonly targeted.
Refer to the Shynet project's official release notes and security advisories for details on this vulnerability and the fix.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.