Description
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,
Published: 2026-04-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Upgrade
AI Analysis

Impact

The Shynet analytics platform contains a cross‑site scripting flaw in the urldisplay and iconify template filters. The flaw allows a malicious URL or icon name supplied to these filters to inject script that will be executed when the page renders. The description implies that an attacker who can provide such a payload could cause the victim’s browser to execute arbitrary JavaScript in the context of the site.

Affected Systems

All installations of Shynet produced by milesmcc that run a release prior to v0.14.0 are affected. No specific commit is listed, so any build before 0.14.0 should be considered vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is through a web page that renders URLs or icon names processed by the vulnerable filters, such as a dashboard or report that incorporates external or user‑supplied data.

Generated by OpenCVE AI on April 10, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the current Shynet version by running the version command or inspecting package metadata.
  • Update Shynet to version 0.14.0 or later, following the official release notes and download instructions from the project repository.
  • If an immediate upgrade is not possible, restrict the use of the urldisplay and iconify filters to trusted data only, or sanitize or escape any dynamic content before rendering.

Generated by OpenCVE AI on April 10, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via urldisplay and iconify Filters in Shynet before v0.14.0

Fri, 10 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Shynet
Shynet shynet
CPEs cpe:2.3:a:shynet:shynet:*:*:*:*:*:*:*:*
Vendors & Products Shynet
Shynet shynet

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via urldisplay and iconify Filters in Shynet before v0.14.0
First Time appeared Milesmcc
Milesmcc shynet
Vendors & Products Milesmcc
Milesmcc shynet

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Description Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Milesmcc Shynet
Shynet Shynet
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T13:21:18.222Z

Reserved: 2026-04-03T01:13:14.523Z

Link: CVE-2026-35508

cve-icon Vulnrichment

Updated: 2026-04-03T13:21:15.316Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T02:16:15.353

Modified: 2026-04-10T16:02:16.817

Link: CVE-2026-35508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:01Z

Weaknesses