Shynet Password Reset Flow Allows Host Header Manipulation

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.4

Shynet Password Reset Flow Allows Host Header Manipulation

CVE-2026-35507

Summary

An attacker can manipulate the password reset process by controlling the Host header in Shynet, potentially leading to account takeover. Users of Shynet versions prior to 0.14.0 should update to the latest version to prevent unauthorized access to accounts. This can be done by applying the latest security patches and ensuring all software is up to date.

Original title

Shynet before 0.14.0 allows Host header injection in the password reset flow.

Original description

Shynet before 0.14.0 allows Host header injection in the password reset flow.

nvd CVSS3.1 6.4

Vulnerability type

CWE-348

https://github.com/milesmcc/shynet/pull/345
https://github.com/milesmcc/shynet/releases/tag/v0.14.0

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026