Filtered by vendor Pglombardo Subscriptions
Filtered by product Password Pusher Subscriptions
Total 3 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-61458 1 Pglombardo 1 Password Pusher 2026-07-13 7.5 High
PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days.
CVE-2026-41308 2 Apnotic, Pglombardo 2 Password Pusher, Password Pusher 2026-06-05 6.5 Medium
Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.
CVE-2024-52796 1 Pglombardo 1 Password Pusher 2026-04-15 5.3 Medium
Password Pusher, an open source application to communicate sensitive information over the web, comes with a configurable rate limiter. In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service. In v1.49.0, a fix was implemented to only authorize proxies on local IPs which resolves this issue. As a workaround, one may add rules to one's proxy and/or firewall to not accept external proxy headers such as `X-Forwarded-*` from clients.