Impact
The vulnerability stems from improper remote attacker to inject a crafted Host header into requests that the Password Manager processes without neutralization. The exploitation can lead to generation of manipulated links or responses. This manipulation may expose limited internal information or alter the integrity of dependent services, although it does not appear to enable full remote code execution or privilege escalation. The weakness is identified as CWE‑644.
Affected Systems
Password Manager’s Password Manager product is affected. The vendor supplied a fix released on 08 07 2025; versions prior to that are vulnerable. No specific component versions are listed beyond the overall product.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. EPSS is not available, so the probability of exploitation cannot be quantified; the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is remote via crafted HTTP requests sent over a network that reaches the Password Manager server. An attacker would need network access to send a malicious Host header and the vulnerability would only affect services that rely on the header for generating URLs or responses.
OpenCVE Enrichment