CVE-2026-10836
Received Received - Intake

Host Header Injection in Web Application

Vulnerability report for CVE-2026-10836, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
incibe password_manager to 2025-08-06 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability involves improper handling of HTTP headers that could lead to manipulated links, limited information disclosure, or compromised integrity of dependent services.

Such issues could potentially increase the risk of phishing attacks or unauthorized information exposure, which may impact compliance with standards like GDPR or HIPAA that require protection of personal and sensitive data.

However, there is no explicit information provided about direct effects on compliance with these regulations.

Executive Summary

This vulnerability involves improper handling of HTTP headers, specifically allowing a remote attacker to manipulate the value of the Host header by sending specially crafted requests.

Exploiting this flaw could lead to the generation of manipulated links or responses, which might cause limited information disclosure or compromise the integrity of services that depend on these headers.

Impact Analysis

The vulnerability could allow attackers to manipulate links or redirect users to malicious sites, potentially enabling phishing attacks.

It may also result in limited information disclosure or compromise the integrity of dependent services, which could affect the security and trustworthiness of your systems.

Mitigation Strategies

To mitigate this vulnerability, users should update the Password Manager application to the latest version released on August 7, 2025, which contains fixes for this and related issues.

Applying this update will address the improper handling of HTTP headers and prevent potential manipulation of links, phishing attacks, or limited information disclosure.

Detection Guidance

This vulnerability involves improper handling of HTTP Host headers that can be manipulated by specially crafted requests. To detect it on your network or system, you can monitor HTTP traffic for unusual or suspicious Host header values.

One approach is to use network traffic analysis tools or web server logs to identify requests with unexpected or malformed Host headers.

Example commands to help detect such attempts include:

  • Using tcpdump to capture HTTP traffic and filter for Host headers: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Host:'
  • Using grep on web server access logs to find suspicious Host header values: grep -i 'Host:' /var/log/httpd/access_log | grep -E '([a-z0-9.-]+\.[a-z]{2,})'
  • Using curl to test the server response to manipulated Host headers: curl -H 'Host: malicious.example.com' http://target-server/

Additionally, updating the Password Manager application to the fixed version released on August 7, 2025, is recommended to mitigate this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10836. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart