Description
Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker, enabling phishing or deception attacks with limited impact on confidentiality and integrity.
Published: 2026-06-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from insufficient validation of the X-Forwarded-Host HTTP header in Password Manager. An attacker can craft a URL that includes a malicious domain in X-Forwarded-Host. When a victim opens the link, the application redirects them to the attacker‑controlled site, enabling phishing or deception attacks. The flaw is a classic open‑redirection weakness classified as CWE‑601, and although it does not directly compromise data confidentiality or integrity, it can lead to user confusion and credential theft.

Affected Systems

All installed versions of Password Manager prior to the update released on 8 July 2025 are affected. The product is identified by the vendor-name Password Manager, and the patch fixes the issue in the 08_07_2025 release.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity weakness. the CVE is not listed in the CISA KEV catalog, implying that documented exploitation is currently low or unknown. The attack requires delivering a crafted link containing a manipulated X-Forwarded-Host header, which an attacker can embed in emails, social media posts, or any URL that a victim may click. Because the exploitation path does not require authentication or prior compromise, the risk is moderate, but the potential phishing impact warrants prompt remediation.

Generated by OpenCVE AI on June 18, 2026 at 12:00 UTC.

Remediation

Vendor Solution

The vulnearbility has been fixed by the Password Manager team on 08/07/2025. It is recommend to update to the latest available version.


OpenCVE Recommended Actions

  • Apply the latest Password Manager release (08/07/2025) which includes the fix for X-Forwarded-Host validation.
  • Verify the application no longer redirects based on the X-Forwarded-Host header by testing with a known malicious URL or using a redirect‑detection tool.
  • Reconfigure any reverse proxy or load balancer in front of Password Manager to strip or properly validate the X-Forwarded-Host header before request handling.

Generated by OpenCVE AI on June 18, 2026 at 12:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker, enabling phishing or deception attacks with limited impact on confidentiality and integrity.
Title Open redirection vulnerability in Password Manager
First Time appeared Password Manager
Password Manager password Manager
Weaknesses CWE-601
CPEs cpe:2.3:a:password_manager:password_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:password_manager:password_manager:08_07_2025:*:*:*:*:*:*:*
Vendors & Products Password Manager
Password Manager password Manager
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Password Manager Password Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-17T14:58:21.458Z

Reserved: 2026-06-04T11:16:43.717Z

Link: CVE-2026-10837

cve-icon Vulnrichment

Updated: 2026-06-17T14:58:14.911Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:52Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')