PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days.
Metrics
Affected Vendors & Products
References
History
Tue, 14 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 13 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Pglombardo
Pglombardo password Pusher |
|
| Vendors & Products |
Pglombardo
Pglombardo password Pusher |
Mon, 13 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days. | |
| Title | PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint | |
| Weaknesses | CWE-307 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-14T14:31:07.860Z
Reserved: 2026-07-09T14:07:55.624Z
Link: CVE-2026-61458
Updated: 2026-07-14T14:25:20.637Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-13T22:30:04Z