Impact
An attacker can craft a malicious X-Forwarded-Host header that causes the Password Manager to compose redirect URLs that point to attacker-controlled sites. The flaw, identified as CWE‑601, can lead to authenticated users being redirected to phishing or malicious domains during login or normal interface interactions, potentially enabling credential theft or other social engineering attacks. While the vulnerability does not directly compromise application data confidentiality or integrity, it creates a moderate risk by enabling deceptive URLs and undermining user trust.
Affected Systems
All instances of Password Manager from the Password Manager brand are affected. Any release before the August 7 2025 patch (build identifier 08_07_2025) contains the vulnerable header handling and must be upgraded to the patched build or newer.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploitation yet. An attacker can exploit the flaw by sending an HTTP request with a manipulated X-Forwarded-Host header to a target system that blindly trusts this header to generate redirect URLs, requiring only an authenticated session or the ability to influence the header during login or subsequent navigation.
OpenCVE Enrichment