What is the CVSS score of CVE-2026-10837?

CVE-2026-10837 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N.

Is there a patch available for CVE-2026-10837?

Yes, a patch is available for CVE-2026-10837. Update the affected software to the latest version immediately.

Password Manager CVE-2026-10837

EUVD-2026-37679 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-06-17 INCIBE

Open Redirect Password Manager

5.1

CVSS 4.0 · Vendor: INCIBE

Severity by source

Vendor (INCIBE) PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

vuln.today AI

6.1 MEDIUM

Network-accessible, no auth required, but user must click a crafted link (UI:R); scope change (S:C) applies as the victim is redirected to an attacker-controlled system.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 13:16 vuln.today

DescriptionCVE.org

Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker, enabling phishing or deception attacks with limited impact on confidentiality and integrity.

AnalysisAI

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP header before using it to construct redirect URLs. Unauthenticated remote attackers can craft malicious links that, when clicked by a victim, silently redirect them to an attacker-controlled domain - a particularly dangerous vector given that the target application manages credentials. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft URL with forged X-Forwarded-Host header

Delivery

Deliver malicious link to victim via phishing

Exploit

Victim clicks link opening Password Manager endpoint

Execution

Application reflects unvalidated header into redirect response

Persist

Victim silently redirected to attacker-controlled domain

Impact

Attacker captures credentials via phishing page

Access

Craft URL with forged X-Forwarded-Host header

Delivery

Deliver malicious link to victim via phishing

Exploit

Victim clicks link opening Password Manager endpoint

Execution

Application reflects unvalidated header into redirect response

Persist

Victim silently redirected to attacker-controlled domain

Impact

Attacker captures credentials via phishing page

Vulnerability AssessmentAI

Exploitation	Exploitation requires the victim to click a crafted link (CVSS UI:A - active user interaction is mandatory and is the primary limiting factor). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 score of 5.1 (Medium) reflects a network-reachable, low-complexity, unauthenticated attack path (AV:N/AC:L/AT:N/PR:N) gated on user interaction (UI:A). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker composes a phishing email or message containing a legitimate-looking link to the target Password Manager instance, but with a forged X-Forwarded-Host header value embedded or triggered via a crafted intermediary request pointing to an attacker-controlled domain. When the victim clicks the link and the application processes the forged header to construct a redirect, the victim is silently sent to a convincing replica of the password manager login page hosted by the attacker, where they may enter their master password or MFA token. …
Remediation	Apply the vendor-released patch referenced in the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-50089 MEDIUM This Month

6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara

CVE-2026-10839 MEDIUM This Month

5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

CVE-2026-54276 MEDIUM This Month

Jun 15

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirec

CVE-2026-10837 vulnerability details – vuln.today

Back