Skip to content
Threat Feed
high advisory

CVE-2026-59802 - PasswordPusher Data URI Scheme Vulnerability Leading to Client-Side JavaScript Execution

PasswordPusher versions prior to 2.8.1 contain a client-side vulnerability (CVE-2026-59802) due to insufficient validation of URL push payloads, allowing attackers to embed malicious data URI schemes that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.

A critical vulnerability, CVE-2026-59802, has been identified in PasswordPusher versions prior to 2.8.1. This flaw stems from insufficient validation within the application's valid_url function, which incorrectly permits data: URI schemes in URL push payloads. Attackers can leverage this by crafting malicious pushes containing data:text/html URIs that, when clicked by a victim, execute arbitrary JavaScript code within their web browser. This client-side execution occurs under the trusted PasswordPusher domain, creating a highly effective vector for sophisticated phishing attacks, credential theft, and potential session hijacking. The vulnerability poses a significant risk to user data integrity and confidentiality, emphasizing the need for immediate patching for all affected deployments.

Attack Chain

  1. Attacker crafts a malicious URL payload utilizing the data: URI scheme (e.g., data:text/html,<script>malicious_javascript_code_here</script>).
  2. Attacker creates a PasswordPusher "push" (message or URL entry) and embeds the malicious data: URI into it.
  3. The attacker delivers this crafted malicious push to a target victim through legitimate PasswordPusher functionality.
  4. The victim accesses the received push message within the PasswordPusher application's web interface.
  5. The victim, perceiving a legitimate link from a trusted source, clicks on the displayed malicious data: URI.
  6. Due to the insufficient validation in PasswordPusher's valid_url function (CVE-2026-59802), the application fails to properly sanitize or block the data: URI.
  7. The victim's web browser then navigates to the data: URI, and the embedded arbitrary JavaScript executes within the security context of the PasswordPusher domain.
  8. The executed JavaScript proceeds to perform malicious actions such as displaying deceptive login forms (phishing), capturing user input, or exfiltrating session cookies and other sensitive information, leading to credential theft.

Impact

The successful exploitation of CVE-2026-59802 could lead to significant data breaches and financial losses for individual users and organizations relying on PasswordPusher. Victims are susceptible to sophisticated phishing attacks where their credentials (passwords, tokens) are stolen due to JavaScript executing in a trusted domain context. This bypasses standard phishing defenses and can result in unauthorized access to other systems. The integrity of shared secrets is compromised, leading to a cascade of potential security incidents across an organization. While specific victim counts are not yet reported, any user interacting with a vulnerable PasswordPusher instance is at risk.

Recommendation

  • Upgrade PasswordPusher to version 2.8.1 or later immediately to address CVE-2026-59802.
  • Educate users about the dangers of clicking unfamiliar links, especially those using data: URI schemes, even if they appear within a trusted application interface.