{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35508", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T01:13:14.523Z", "datePublished": "2026-04-03T01:13:15.180Z", "dateUpdated": "2026-04-03T13:21:18.222Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Shynet", "vendor": "milesmcc", "versions": [{"lessThan": "0.14.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T01:13:15.180Z"}, "references": [{"url": "https://github.com/milesmcc/shynet/releases/tag/v0.14.0"}, {"url": "https://github.com/milesmcc/shynet/pull/344"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:21:09.464366Z", "id": "CVE-2026-35508", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:21:18.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35508", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:21:09.464366Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:21:15.316Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "milesmcc", "product": "Shynet", "versions": [{"status": "affected", "version": "0", "lessThan": "0.14.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/milesmcc/shynet/releases/tag/v0.14.0"}, {"url": "https://github.com/milesmcc/shynet/pull/344"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T01:13:15.180Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35508", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:21:18.222Z", "dateReserved": "2026-04-03T01:13:14.523Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-03T01:13:15.180Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shynet:shynet:*:*:*:*:*:*:*:*", "matchCriteriaId": "600DCDD5-5C51-44FB-8431-099212B69385", "versionEndExcluding": "0.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,"}], "id": "CVE-2026-35508", "lastModified": "2026-04-10T16:02:16.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T02:16:15.353", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/milesmcc/shynet/pull/344"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/milesmcc/shynet/releases/tag/v0.14.0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.14.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Shynet", "source": "cna", "vendor": "milesmcc"}, "product": "shynet", "vendor": "milesmcc"}], "analysis": {"en": {"generated_at": "2026-04-10T18:53:01.743182+00:00", "value": {"mitigation_remediation": ["Check the current Shynet version by running the version command or inspecting package metadata.", "Update Shynet to version 0.14.0 or later, following the official release notes and download instructions from the project repository.", "If an immediate upgrade is not possible, restrict the use of the urldisplay and iconify filters to trusted data only, or sanitize or escape any dynamic content before rendering."], "summary": {"action": "Upgrade", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of Shynet produced by milesmcc that run a release prior to v0.14.0 are affected. No specific commit is listed, so any build before 0.14.0 should be considered vulnerable.", "description_and_impact": "The Shynet analytics platform contains a cross\u2011site scripting flaw in the urldisplay and iconify template filters. The flaw allows a malicious URL or icon name supplied to these filters to inject script that will be executed when the page renders. The description implies that an attacker who can provide such a payload could cause the victim\u2019s browser to execute arbitrary JavaScript in the context of the site.", "risk_and_exploitability": "The CVSS score of 5.4 indicates medium severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is through a web page that renders URLs or icon names processed by the vulnerable filters, such as a dashboard or report that incorporates external or user\u2011supplied data."}}}}, "created": "2026-04-03T07:31:14.555909+00:00", "updated": "2026-04-13T14:28:01.385287+00:00", "vendors": ["milesmcc", "milesmcc$PRODUCT$shynet"]}