Skip to main content

Passwordpusher

3 CVEs product

Monthly

CVE-2026-61458 HIGH This Week

Passphrase brute-force in PasswordPusher before 2.9.2 lets remote attackers who possess a push token recover the passphrase protecting a shared secret by hammering the POST /p/:token/access endpoint. Because that route has no per-route rate limiting and no per-push lockout, an attacker can sustain roughly 120 guesses per minute, making short or dictionary-based passphrases recoverable within hours to days. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Passwordpusher
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59802 MEDIUM PATCH This Month

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. No public exploit has been identified at time of analysis, but a vendor-released patch (2.8.1) is available per the GitHub security advisory.

Information Disclosure Passwordpusher
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-41308 MEDIUM PATCH This Month

Unauthenticated attackers can create file-type pushes through Password Pusher's JSON API endpoints when the application is configured to allow anonymous pushes, bypassing intended authentication requirements for file uploads. Affected versions prior to 1.69.3 and 2.4.2 permit remote POST requests to /p.json and /api/v2/pushes endpoints with file payloads without valid credentials, allowing unauthorized file storage and potential information disclosure. Vendor-released patches versions 1.69.3 and 2.4.2 enforce mandatory authentication for all file-type push creation regardless of anonymous-push configuration.

Information Disclosure Passwordpusher
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
EPSS 0% CVSS 8.7
HIGH This Week

Passphrase brute-force in PasswordPusher before 2.9.2 lets remote attackers who possess a push token recover the passphrase protecting a shared secret by hammering the POST /p/:token/access endpoint. Because that route has no per-route rate limiting and no per-push lockout, an attacker can sustain roughly 120 guesses per minute, making short or dictionary-based passphrases recoverable within hours to days. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Passwordpusher
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. No public exploit has been identified at time of analysis, but a vendor-released patch (2.8.1) is available per the GitHub security advisory.

Information Disclosure Passwordpusher
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated attackers can create file-type pushes through Password Pusher's JSON API endpoints when the application is configured to allow anonymous pushes, bypassing intended authentication requirements for file uploads. Affected versions prior to 1.69.3 and 2.4.2 permit remote POST requests to /p.json and /api/v2/pushes endpoints with file payloads without valid credentials, allowing unauthorized file storage and potential information disclosure. Vendor-released patches versions 1.69.3 and 2.4.2 enforce mandatory authentication for all file-type push creation regardless of anonymous-push configuration.

Information Disclosure Passwordpusher
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy