CVE-2026-35507: Shynet before 0.14.0 allows Host header injection in the password reset flow.

Description

Shynet before 0.14.0 allows Host header injection in the password reset flow.

Vendor	Product	Versions
milesmcc	shynet	0, 0.13.x

Tier C

VulDB6h ago

→ No new info (linked only)

CVSS 3.16.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

0.14.0

CWECWE-348

PublishedApr 3, 2026

Last enriched6h agov2

Trending Score23

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Last enriched 6h ago

v2Tier C6h ago

Updated affected versions to 0.13.x and confirmed no exploit is available.

affectedVersions

via VulDB

v19h ago

Initial creation