Brute-Force Vulnerability in PasswordPusher by PasswordPusher
CVE-2026-61458

8.7HIGH

Key Information:

Vendor

Pglombardo

Vendor
CVE Published:
13 July 2026

What is CVE-2026-61458?

The PasswordPusher application prior to version 2.9.2 exhibits a significant brute-force vulnerability in the POST /p/:token/access endpoint. This vulnerability arises due to the absence of route-specific rate limiting and push-specific lockout mechanisms. As a result, an attacker with knowledge of a push token can execute up to 120 passphrase attempts per minute without facing any deterrents. This flaw makes it feasible for attackers to recover short or dictionary-derived passphrases within a matter of hours or days, thereby compromising the intended security of the platform.

Affected Version(s)

PasswordPusher 0 < 2.9.2

PasswordPusher 2.9.2

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

de3erve-hunter
.