CVE-2026-41308

EPSS 0.29%
Veröffentlicht 08.05.2026 14:30:37
Zuletzt bearbeitet 05.06.2026 00:26:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Password Pusher: JSON API `/p.json` file upload alias bypasses file-push authentication

Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apnotic ≫ Password Pusher Version < 1.69.3

Apnotic ≫ Password Pusher Version >= 2.0.0 < 2.4.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.204

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-x86c

Vendor Advisory

https://github.com/pglombardo/PasswordPusher/pull/4381

Patch

Issue Tracking

https://github.com/pglombardo/PasswordPusher/commit/45dc2512875231ef45ecd5dfc8c3c8185f882bf4

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-41308

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41308

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41308

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41308