Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Password Manager

Posted date 05/06/2026
Identificador
INCIBE-2026-400
Importance
3 - Medium
Affected Resources
  • Password Manager (tested in versions prior to August 6, 2025).
Description

INCIBE has coordinated the disclosure of three medium-severity vulnerabilities affecting Password Manager, an application for managing passwords across multiple types of services. The vulnerabilities were discovered by Julen Garrido Estévez.

The following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type have been assigned to each vulnerability:

  • CVE-2026-10836: CVSS v4.0: 5.8 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N | CWE-644
  • CVE-2026-10837: CVSS v4.0: 5.8 | CVSS AV:N/AC:H/AT:N/PR:N/UI:R/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | CWE-601
  • CVE-2026-10839: CVSS v4.0: 5.8 | CVSS AV:N/AC:H/AT:N/PR:N/UI:R/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | CWE-601
Solution

The vulnerabilities have been fixed by the Password Manager team on 07/08/2025. We recommend updating to the latest available version.

Detail
  • CVE-2026-10836: improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services.
  • CVE-2026-10837: Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker, enabling phishing or deception attacks with limited impact on confidentiality and integrity.
  • CVE-2026-10839: open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-10836 Media No Password Manager
CVE-2026-10837 Media No Password Manager
CVE-2026-10839 Media No Password Manager
References list
Github - eusonlito / Password-Manager
CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Etiquetas