Description
Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.
Published: 2026-06-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper remote attacker to inject a crafted Host header into requests that the Password Manager processes without neutralization. The exploitation can lead to generation of manipulated links or responses. This manipulation may expose limited internal information or alter the integrity of dependent services, although it does not appear to enable full remote code execution or privilege escalation. The weakness is identified as CWE‑644.

Affected Systems

Password Manager’s Password Manager product is affected. The vendor supplied a fix released on 08 07 2025; versions prior to that are vulnerable. No specific component versions are listed beyond the overall product.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS is not available, so the probability of exploitation cannot be quantified; the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is remote via crafted HTTP requests sent over a network that reaches the Password Manager server. An attacker would need network access to send a malicious Host header and the vulnerability would only affect services that rely on the header for generating URLs or responses.

Generated by OpenCVE AI on June 18, 2026 at 12:00 UTC.

Remediation

Vendor Solution

The vulnearbility has been fixed by the Password Manager team on 08/07/2025. It is recommend to update to the latest available version.


OpenCVE Recommended Actions

  • Apply the latest patch from the Password Manager team to avoid the header manipulation flaw.
  • Configure any front‑end proxies or web servers to validate the Host header against a whitelist of allowed values, rejecting or normalizing unexpected input.
  • Enable logging of Host header values and monitor for anomalous patterns to detect potential exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 12:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.
Title Improper neutralization of HTTP headers in Password Manager
First Time appeared Password Manager
Password Manager password Manager
Weaknesses CWE-644
CPEs cpe:2.3:a:password_manager:password_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:password_manager:password_manager:08_07_2025:*:*:*:*:*:*:*
Vendors & Products Password Manager
Password Manager password Manager
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Password Manager Password Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-17T14:58:57.262Z

Reserved: 2026-06-04T11:16:42.790Z

Link: CVE-2026-10836

cve-icon Vulnrichment

Updated: 2026-06-17T14:58:53.039Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:54Z

Weaknesses
  • CWE-644

    Improper Neutralization of HTTP Headers for Scripting Syntax