CVE-2026-10836 - Vulnerability Details - OpenCVE

Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Password Manager	Password Manager

No data.

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager

History

Wed, 17 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.
Title		Improper neutralization of HTTP headers in Password Manager
First Time appeared		Password Manager Password Manager password Manager
Weaknesses		CWE-644
CPEs		cpe:2.3:a:password_manager:password_manager:::::::: cpe:2.3:a:password_manager:password_manager:08_07_2025:::::::*
Vendors & Products		Password Manager Password Manager password Manager
References		https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2026-06-17T11:10:49.015Z

Updated: 2026-06-17T11:10:49.015Z

Reserved: 2026-06-04T11:16:42.790Z

Link: CVE-2026-10836

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10836", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-06-04T11:16:42.790Z", "datePublished": "2026-06-17T11:10:49.015Z", "dateUpdated": "2026-06-17T11:10:49.015Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-06-17T11:10:49.015Z"}, "title": "Improper neutralization of HTTP headers in Password Manager", "datePublic": "2026-06-17T10:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-644", "description": "CWE-644 Improper neutralization of HTTP headers for scripting syntax", "type": "CWE"}]}], "affected": [{"vendor": "Password Manager", "product": "Password Manager", "versions": [{"status": "affected", "version": "0", "lessThan": "08/07/2025", "versionType": "date"}, {"status": "unaffected", "version": "08/07/2025", "versionType": "date"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:password_manager:password_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "08_07_2025"}, {"vulnerable": false, "criteria": "cpe:2.3:a:password_manager:password_manager:08_07_2025:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"}}], "solutions": [{"lang": "en", "value": "The vulnearbility has been fixed by the Password Manager team on 08/07/2025. It is recommend to update to the latest available version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnearbility has been fixed by the Password Manager team on 08/07/2025. It is recommend to update to the latest available version."}]}], "source": {"defect": ["Julen Garrido Est\u00e9vez"], "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}