CVE-2026-41308 MEDIUM

CVE-2026-41308: Password Pusher: JSON API `/p.json` file upload alias bypasses file-push authentication

Vendor Pglombardo
Product PasswordPusher
Weakness CWE-288
Published May 8, 2026
Last update May 11, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 11, 2026 Record updated