Product
A brute-force vulnerability, tracked as CVE-2026-61458, exists in PasswordPusher versions prior to 2.9.2, allowing attackers with a known push token to systematically guess passphrases at high rates due to a lack of route-specific rate limiting and per-push lockout mechanisms on the POST /p/:token/access endpoint, potentially leading to the recovery of sensitive secrets within hours or days.