PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days.
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Pglombardo
Pglombardo password Pusher |
|
| Vendors & Products |
Pglombardo
Pglombardo password Pusher |
Mon, 13 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days. | |
| Title | PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint | |
| Weaknesses | CWE-307 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-07-13T21:30:07.937Z
Updated: 2026-07-13T21:30:07.937Z
Reserved: 2026-07-09T14:07:55.624Z
Link: CVE-2026-61458
No data.
No data.
No data.