EUVD-2026-37678Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Network-reachable with no auth required, but scope changes to dependent services and user must interact with reflected content.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Lifecycle Timeline
1DescriptionCVE.org
Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.
AnalysisAI
Host Header Injection in Password Manager (all versions per CPE) enables remote unauthenticated attackers to manipulate the HTTP Host header, causing the application to generate crafted links or responses that reference an attacker-controlled domain. Exploitation requires active user interaction (UI:A per CVSS 4.0 vector), limiting mass exploitation but enabling targeted phishing, password-reset link hijacking, or cache poisoning affecting dependent services. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Active user interaction is required - specifically, a user must follow or interact with a link or response generated by the application that embeds the attacker-supplied Host header value (UI:A per CVSS 4.0). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium) is consistent with the actual attack surface: no authentication or special configuration is required (PR:N, AC:L, AT:N), but active user interaction is mandatory (UI:A), which materially reduces the exploitability in automated attack scenarios. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an HTTP request to the Password Manager application with a forged Host header value pointing to an attacker-controlled domain (e.g., Host: attacker.example.com). The application reflects this value when generating a password-reset or account-verification link, which is then delivered to the victim user via email. … |
| Remediation | A vendor-released patch is confirmed available per the INCIBE advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager); however, the exact patched version number is not specified in the available data - consult the advisory directly to identify the target upgrade version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP
Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to
Share
External POC / Exploit Code
Leaving vuln.today