CVE-2026-41308

medium

Published 2026-05-08 · Modified 2026-05-14

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v2

—

VIR risk

6.5

Description

Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-x86c

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/pglombardo/PasswordPusher/pull/4381

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/pglombardo/PasswordPusher/commit/45dc2512875231ef45ecd5dfc8c3c8185f882bf4

Application impact

Vendor	Product	Versions	Fixed
pwpush	password_pusher	`{"startIncluding":"2.0.0","endExcluding":"2.4.2"}`	`2.4.2`
pwpush	password_pusher	`1.69.3`

References

CWEs

CWE-288

Verify integrity in audit chain (admin only). AS-IS.