{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35508", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T01:13:14.523Z", "datePublished": "2026-04-03T01:13:15.180Z", "dateUpdated": "2026-04-03T13:21:18.222Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Shynet", "vendor": "milesmcc", "versions": [{"lessThan": "0.14.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T01:13:15.180Z"}, "references": [{"url": "https://github.com/milesmcc/shynet/releases/tag/v0.14.0"}, {"url": "https://github.com/milesmcc/shynet/pull/344"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:21:09.464366Z", "id": "CVE-2026-35508", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:21:18.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35508", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:21:09.464366Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:21:15.316Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "milesmcc", "product": "Shynet", "versions": [{"status": "affected", "version": "0", "lessThan": "0.14.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/milesmcc/shynet/releases/tag/v0.14.0"}, {"url": "https://github.com/milesmcc/shynet/pull/344"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T01:13:15.180Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35508", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:21:18.222Z", "dateReserved": "2026-04-03T01:13:14.523Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-03T01:13:15.180Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,"}], "id": "CVE-2026-35508", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T02:16:15.353", "references": [{"source": "cve@mitre.org", "url": "https://github.com/milesmcc/shynet/pull/344"}, {"source": "cve@mitre.org", "url": "https://github.com/milesmcc/shynet/releases/tag/v0.14.0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.14.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Shynet", "source": "cna", "vendor": "milesmcc"}, "product": "shynet", "vendor": "milesmcc"}], "analysis": {"en": {"generated_at": "2026-04-03T03:50:31.006834+00:00", "value": {"mitigation_remediation": ["Upgrade Shynet to version 0.14.0 or later"], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue exists in Shynet releases from the vendor milesmcc that are older than version 0.14.0. Any deployment that uses a pre\u20110.14.0 release and employs the urldisplay or iconify filters in its templates is susceptible.", "description_and_impact": "An unsanitized script injection flaw allows arbitrary JavaScript code to be executed in the web browsers of users who view pages that process data through the urldisplay or iconify template filters. The vulnerability enables attackers to steal session cookies, deface content, or conduct phishing attacks by injecting malicious scripts. The weakness aligns with the OWASP CWE\u201179 classification, which covers cross\u2011site scripting flaws.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity level, reflecting the client\u2011side impact and the absence of a remote code execution vector. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that large\u2011scale exploitation has not been observed. Based on the description, the likely attack vector would require an attacker to embed malicious JavaScript payloads in data that is rendered by the vulnerable filters, and the victim would need to view a page that processes such input. While the risk is moderate, the available exploit path may be publicly usable if an attacker can supply crafted content to users."}}}}, "created": "2026-04-03T07:31:14.555909+00:00", "title": "Cross\u2011Site Scripting via urldisplay and iconify Filters in Shynet before v0.14.0", "updated": "2026-04-03T09:16:02.402874+00:00", "vendors": ["milesmcc", "milesmcc$PRODUCT$shynet"]}