CVE-2026-41308
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Summary
Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pglombardo | PasswordPusher | < 1.69.3 | affected |
| pglombardo | PasswordPusher | >= 2.0.0-a, < 2.4.2 | affected |
Weaknesses
- CWE-288: CWE-288: Authentication Bypass Using an Alternate Path or Channel
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-x86c
- https://github.com/pglombardo/PasswordPusher/pull/4381
- https://github.com/pglombardo/PasswordPusher/commit/45dc2512875231ef45ecd5dfc8c3c8185f882bf4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.