CVE-2026-10836
Received Received - Intake
Host Header Injection in Web Application

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-10836
EUVD
EUVD-2026-37678
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
incibe password_manager to 2025-08-06 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves improper handling of HTTP headers, specifically allowing a remote attacker to manipulate the value of the Host header by sending specially crafted requests.

Exploiting this flaw could lead to the generation of manipulated links or responses, which might cause limited information disclosure or compromise the integrity of services that depend on these headers.

Impact Analysis

The vulnerability could allow attackers to manipulate links or redirect users to malicious sites, potentially enabling phishing attacks.

It may also result in limited information disclosure or compromise the integrity of dependent services, which could affect the security and trustworthiness of your systems.

Mitigation Strategies

To mitigate this vulnerability, users should update the Password Manager application to the latest version released on August 7, 2025, which contains fixes for this and related issues.

Applying this update will address the improper handling of HTTP headers and prevent potential manipulation of links, phishing attacks, or limited information disclosure.

Compliance Impact

This vulnerability involves improper handling of HTTP headers that could lead to manipulated links, limited information disclosure, or compromised integrity of dependent services.

Such issues could potentially increase the risk of phishing attacks or unauthorized information exposure, which may impact compliance with standards like GDPR or HIPAA that require protection of personal and sensitive data.

However, there is no explicit information provided about direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10836. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart