Shynet before 0.14.0 allows Host header injection in the password reset flow.Referenceshttps://github.com/milesmcc/shynet/releases/tag/v0.14.0https://github.com/milesmcc/shynet/pull/345
