CVE-2026-35508
Cross-Site Scripting in Shynet Template Filters Before
Publication date: 2026-04-03
Last updated on: 2026-04-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shynet | shynet | to 0.14.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35508 is a stored Cross-Site Scripting (XSS) vulnerability in the Shynet analytics dashboard before version 0.14.0. It affects the `urldisplay` and `iconify` template filters, which improperly handle untrusted user input such as location and referrer URLs submitted via an unauthenticated public endpoint.
The vulnerability arises because these filters insert raw URL data directly into HTML attributes without proper escaping. This allows an attacker to craft malicious URLs that break out of the attribute context and inject JavaScript event handlers, which then execute in the administrator's browser session when viewing the dashboard.
The issue was fixed by applying Django's `escape()` function to all user-controlled URL components before insertion, preventing attribute break-out and JavaScript injection.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to submit malicious URLs that, when viewed by an administrator in the Shynet dashboard, execute arbitrary JavaScript code in the administrator's browser.
- Execution of arbitrary JavaScript in admin sessions, potentially leading to session hijacking or unauthorized actions.
- Compromise of administrative control over the Shynet analytics dashboard.
- Potential exposure of sensitive analytics data or configuration settings.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your Shynet installation is running a version before 0.14.0 and if it uses the vulnerable `urldisplay` and `iconify` template filters that improperly escape user input.
To detect exploitation attempts or presence of malicious payloads, you can monitor HTTP requests to the unauthenticated public ingress endpoint for suspicious URL parameters containing payloads like: http://x' onfocus='... autofocus=' which attempt to break out of HTML attributes.
Example commands to search for suspicious payloads in web server logs might include:
- grep -i "http://x' onfocus='" /var/log/nginx/access.log
- grep -E "href='http|src=\"[^"]*" /var/log/shynet/*.log
Additionally, reviewing the Shynet dashboard URLs such as `/dashboard/service/<uuid>/` and `/dashboard/service/<uuid>/locations/` for unexpected JavaScript execution or injected attributes can help detect exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Shynet before 0.14.0 is a stored Cross-Site Scripting (XSS) issue that allows unauthenticated attackers to inject malicious JavaScript into the administrator's dashboard session. This could potentially lead to unauthorized access or manipulation of sensitive analytics data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, stored XSS vulnerabilities can pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Exploitation of such vulnerabilities might lead to unauthorized disclosure or alteration of personal or sensitive data, thereby impacting compliance.
Therefore, organizations using affected versions of Shynet should consider this vulnerability as a risk to their regulatory compliance posture and apply the provided patch to mitigate potential data protection issues.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Shynet to version 0.14.0 or later, where the vulnerability has been fixed by properly escaping user input in the `urldisplay` and `iconify` template filters.
If upgrading immediately is not possible, you should restrict access to the Shynet dashboard to trusted administrators only and monitor for suspicious URL inputs that could exploit the XSS vulnerability.
Applying web application firewall (WAF) rules to block suspicious payloads containing attribute-breaking characters in URL parameters can also help mitigate exploitation attempts.