What is the CVSS score of EUVD-2026-37680?

EUVD-2026-37680 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N.

Is there a patch available for EUVD-2026-37680?

Yes, a patch is available for EUVD-2026-37680. Update the affected software to the latest version immediately.

Password Manager EUVD-2026-37680

| CVE-2026-10839 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-06-17 INCIBE

Open Redirect Password Manager

5.1

CVSS 4.0 · Vendor: INCIBE

Severity by source

Vendor (INCIBE) PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

vuln.today AI

5.4 MEDIUM

Network-accessible with no attacker authentication, but mandatory victim interaction (UI:R); scope unchanged as the redirect is external; C:L and I:L reflect phishing-enabled credential and interface integrity risk without direct data extraction.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 13:18 vuln.today

DescriptionCVE.org

Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.

AnalysisAI

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to manipulate the X-Forwarded-Host HTTP header to redirect authenticated users to attacker-controlled sites immediately following login or interface interaction. The vulnerability is particularly hazardous in the context of a credential store application, where a convincing post-login redirect to a cloned phishing interface could yield an attacker's full access to a victim's stored password vault. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft phishing link with spoofed X-Forwarded-Host header

Delivery

Deliver link to targeted Password Manager user

Exploit

Victim authenticates to legitimate application

Execution

Application trusts manipulated header and builds redirect URL

Persist

Victim silently forwarded to attacker-controlled phishing site

Impact

Attacker captures re-entered credentials or harvests session context

Access

Craft phishing link with spoofed X-Forwarded-Host header

Delivery

Deliver link to targeted Password Manager user

Exploit

Victim authenticates to legitimate application

Execution

Application trusts manipulated header and builds redirect URL

Persist

Victim silently forwarded to attacker-controlled phishing site

Impact

Attacker captures re-entered credentials or harvests session context

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the attacker control or influence the X-Forwarded-Host header value received by the Password Manager application - achievable by distributing a crafted URL through phishing, QR codes, or redirects, or by interposing an attacker-controlled proxy on the network path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 score of 5.1 (Medium) reasonably reflects the constrained but meaningful real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker distributes a phishing email or message containing a crafted deep-link to the Password Manager login page with a manipulated X-Forwarded-Host header value pointing to an attacker-controlled domain that visually mimics the application. When the victim follows the link, authenticates successfully, and the application generates the post-login redirect using the untrusted header, they are transparently forwarded to the malicious site - still believing they are in a trusted session - where the attacker's interface captures a re-entered master password or session token. …
Remediation	A vendor-released patch is confirmed available per the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager; administrators should consult this notice immediately to identify the exact fixed release version and apply the update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-50089 MEDIUM This Month

6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara

CVE-2026-10837 MEDIUM This Month

5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2025-32748 MEDIUM This Month

4.3 Jun 17

Host Header Injection in Dell PowerFlex Rack RCM 3.7 enables unauthenticated remote attackers to trigger open redirects

CVE-2026-54276 MEDIUM This Month

Jun 15

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirec

EUVD-2026-37680 vulnerability details – vuln.today

Back