PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.
History

Tue, 14 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Apnotic
Apnotic password Pusher
CPEs cpe:2.3:a:apnotic:password_pusher:*:*:*:*:*:*:*:*
Vendors & Products Apnotic
Apnotic password Pusher

Fri, 10 Jul 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Pwpush
Pwpush password Pusher
Vendors & Products Pwpush
Pwpush password Pusher

Thu, 09 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.
Title PasswordPusher < 2.8.1 - Redirect-Based XSS via data URI in URL Push Payload
Weaknesses CWE-183
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-07-08T19:42:07.906Z

Updated: 2026-07-14T22:03:28.588Z

Reserved: 2026-07-07T14:39:14.062Z

Link: CVE-2026-59802

cve-icon Vulnrichment

Updated: 2026-07-09T14:28:49.137Z

cve-icon NVD

No data.

cve-icon Redhat

No data.