Vulnerability Description
Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pwpush | Password Pusher | >= 2.0.0, < 2.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/pglombardo/PasswordPusher/commit/45dc2512875231ef45ecd5dfc8c3Patch
- https://github.com/pglombardo/PasswordPusher/pull/4381Issue TrackingPatch
- https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-Vendor Advisory
FAQ
What is CVE-2026-41308?
CVE-2026-41308 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated crea...
How severe is CVE-2026-41308?
CVE-2026-41308 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41308?
Check the references section above for vendor advisories and patch information. Affected products include: Pwpush Password Pusher.