CVE-2026-59802
PasswordPusher · PasswordPusher
PasswordPusher is susceptible to a redirect-based Cross-Site Scripting (XSS) vulnerability due to improper input validation of data-URI schemes in URL push payloads.
Executive summary
A high-severity XSS vulnerability in PasswordPusher allows unauthenticated attackers to execute malicious scripts via crafted URL payloads.
Vulnerability
The application fails to properly sanitize input, allowing for a redirect-based XSS attack. This flaw permits unauthenticated attackers to inject malicious scripts into the application environment via specifically crafted data-URI schemes.
Business impact
Successful exploitation of this vulnerability can lead to unauthorized script execution in the context of a victim's browser session. This may result in session hijacking, the theft of sensitive credentials, or redirection to malicious third-party domains, potentially leading to significant reputational and data security impacts. Given the CVSS score of 8.2, this vulnerability represents a substantial risk to organizational security.
Remediation
Immediate Action: Upgrade to PasswordPusher version 2.8.1 or later to implement the necessary input validation patches.
Proactive Monitoring: Monitor access logs for unusual URL structures or requests containing encoded data-URI schemes that deviate from standard application behavior.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict XSS filtering rules to inspect incoming URL parameters and block malicious payloads.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The presence of an XSS vulnerability in a credential management tool is particularly concerning. Administrators should prioritize patching to version 2.8.1 immediately to prevent potential session compromise and ensure the integrity of the PasswordPusher deployment.