CVE-2026-41308 PUBLISHED

Password Pusher: JSON API `/p.json` file upload alias bypasses file-push authentication

Assigner: GitHub_M
Reserved: 20.04.2026 Published: 08.05.2026 Updated: 08.05.2026

Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	pglombardo
Product	PasswordPusher
Versions	Version < 1.69.3 is affected Version >= 2.0.0-a, < 2.4.2 is affected

References

Problem Types

CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE