PT-2026-56539 · Passwordpusher · Password Pusher

George Chen

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-59802

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59802

Affected Products

Password Pusher