CVE-2026-59802

PasswordPusher · PasswordPusher

PasswordPusher is susceptible to a redirect-based Cross-Site Scripting (XSS) vulnerability due to improper input validation of data-URI schemes in URL push payloads.

Executive summary

A high-severity XSS vulnerability in PasswordPusher allows unauthenticated attackers to execute malicious scripts via crafted URL payloads.

Vulnerability

The application fails to properly sanitize input, allowing for a redirect-based XSS attack. This flaw permits unauthenticated attackers to inject malicious scripts into the application environment via specifically crafted data-URI schemes.

Business impact

Successful exploitation of this vulnerability can lead to unauthorized script execution in the context of a victim's browser session. This may result in session hijacking, the theft of sensitive credentials, or redirection to malicious third-party domains, potentially leading to significant reputational and data security impacts. Given the CVSS score of 8.2, this vulnerability represents a substantial risk to organizational security.

Remediation

Immediate Action: Upgrade to PasswordPusher version 2.8.1 or later to implement the necessary input validation patches.

Proactive Monitoring: Monitor access logs for unusual URL structures or requests containing encoded data-URI schemes that deviate from standard application behavior.

Compensating Controls: Deploy a Web Application Firewall (WAF) with strict XSS filtering rules to inspect incoming URL parameters and block malicious payloads.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The presence of an XSS vulnerability in a credential management tool is particularly concerning. Administrators should prioritize patching to version 2.8.1 immediately to prevent potential session compromise and ensure the integrity of the PasswordPusher deployment.