CVE-2026-35507: Shynet before 0.14.0 allows Host header injection in the password reset flow.

Description

Shynet before 0.14.0 allows Host header injection in the password reset flow.

Vendor	Product	Versions
milesmcc	shynet	0, 0.13.x

Tier C

VulDB4h ago

→ No new info (linked only)

CVSS 3.16.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

0.14.0

CWECWE-348

PublishedApr 3, 2026

Last enriched4h agov2

Trending Score23

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to 0.13.x and confirmed no exploit is available.

affectedVersions

via VulDB

v17h ago

Initial creation