CVE-2026-59802
Received Received - Intake

PasswordPusher URL Push Data URI XSS Vulnerability

Vulnerability report for CVE-2026-59802, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
passwordpusher passwordpusher to 2.8.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability enables attackers to execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher domain, which can lead to phishing and credential theft.

Such unauthorized access to credentials and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability may result in violations of these standards due to compromised confidentiality and potential misuse of user data.

Executive Summary

CVE-2026-59802 is a vulnerability in PasswordPusher versions 2.8.0 and earlier that allows an attacker to perform a redirect-based cross-site scripting (XSS) attack via a trusted domain.

The issue arises because the application accepts any URI scheme, including data: URIs, in its URL push feature due to insufficient validation in the valid_url function.

An attacker can create a malicious push containing a data:text/html URI, which when clicked by a victim, triggers a redirect to attacker-controlled HTML that executes arbitrary JavaScript in the victim's browser under the trusted PasswordPusher domain.

This enables phishing, credential theft, or other malicious activities.

The root cause is insufficient URL scheme validation allowing non-HTTP(S) schemes to bypass restrictions.

Impact Analysis

This vulnerability can impact you by enabling attackers to execute arbitrary JavaScript in your browser under the trusted PasswordPusher domain.

Such execution can lead to phishing attacks where attackers trick you into revealing sensitive information.

It can also result in credential theft, compromising your login details and potentially other sensitive data.

Because the attack occurs under a trusted domain, victims may be more likely to trust malicious content.

Detection Guidance

This vulnerability involves malicious URL push payloads containing data:text/html URIs accepted by PasswordPusher before version 2.8.1. Detection can focus on identifying such payloads or suspicious URL schemes in network traffic or application logs.

  • Monitor network traffic or logs for URL push payloads containing data: URI schemes, especially data:text/html.
  • Use grep or similar tools to search application logs for occurrences of 'data:text/html' or 'data:' in URL fields.
  • Example command to search logs: grep -r 'data:text/html' /path/to/passwordpusher/logs
  • Inspect HTTP requests to the PasswordPusher service for URL push payloads with non-http(s) schemes.
Mitigation Strategies

The primary mitigation is to upgrade PasswordPusher to version 2.8.1 or later, where the valid_url function restricts accepted URL schemes to only http and https.

Until an upgrade can be performed, consider blocking or filtering URL push payloads containing data: URI schemes to prevent malicious payloads from being accepted.

Educate users to be cautious about clicking on URL push links, especially those that appear suspicious or unexpected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart