{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/passwordpusher/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-59802"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PasswordPusher (\u003c 2.8.1)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","web-application","client-side","javascript","credential-theft","phishing"],"_cs_type":"advisory","_cs_vendors":["PasswordPusher"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-59802, has been identified in PasswordPusher versions prior to 2.8.1. This flaw stems from insufficient validation within the application's \u003ccode\u003evalid_url\u003c/code\u003e function, which incorrectly permits \u003ccode\u003edata:\u003c/code\u003e URI schemes in URL push payloads. Attackers can leverage this by crafting malicious pushes containing \u003ccode\u003edata:text/html\u003c/code\u003e URIs that, when clicked by a victim, execute arbitrary JavaScript code within their web browser. This client-side execution occurs under the trusted PasswordPusher domain, creating a highly effective vector for sophisticated phishing attacks, credential theft, and potential session hijacking. The vulnerability poses a significant risk to user data integrity and confidentiality, emphasizing the need for immediate patching for all affected deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL payload utilizing the \u003ccode\u003edata:\u003c/code\u003e URI scheme (e.g., \u003ccode\u003edata:text/html,\u0026lt;script\u0026gt;malicious_javascript_code_here\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker creates a PasswordPusher \u0026quot;push\u0026quot; (message or URL entry) and embeds the malicious \u003ccode\u003edata:\u003c/code\u003e URI into it.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this crafted malicious push to a target victim through legitimate PasswordPusher functionality.\u003c/li\u003e\n\u003cli\u003eThe victim accesses the received push message within the PasswordPusher application's web interface.\u003c/li\u003e\n\u003cli\u003eThe victim, perceiving a legitimate link from a trusted source, clicks on the displayed malicious \u003ccode\u003edata:\u003c/code\u003e URI.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient validation in PasswordPusher's \u003ccode\u003evalid_url\u003c/code\u003e function (CVE-2026-59802), the application fails to properly sanitize or block the \u003ccode\u003edata:\u003c/code\u003e URI.\u003c/li\u003e\n\u003cli\u003eThe victim's web browser then navigates to the \u003ccode\u003edata:\u003c/code\u003e URI, and the embedded arbitrary JavaScript executes within the security context of the PasswordPusher domain.\u003c/li\u003e\n\u003cli\u003eThe executed JavaScript proceeds to perform malicious actions such as displaying deceptive login forms (phishing), capturing user input, or exfiltrating session cookies and other sensitive information, leading to credential theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-59802 could lead to significant data breaches and financial losses for individual users and organizations relying on PasswordPusher. Victims are susceptible to sophisticated phishing attacks where their credentials (passwords, tokens) are stolen due to JavaScript executing in a trusted domain context. This bypasses standard phishing defenses and can result in unauthorized access to other systems. The integrity of shared secrets is compromised, leading to a cascade of potential security incidents across an organization. While specific victim counts are not yet reported, any user interacting with a vulnerable PasswordPusher instance is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PasswordPusher to version 2.8.1 or later immediately to address CVE-2026-59802.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of clicking unfamiliar links, especially those using \u003ccode\u003edata:\u003c/code\u003e URI schemes, even if they appear within a trusted application interface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T20:18:02Z","date_published":"2026-07-08T20:18:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-passwordpusher-data-uri-vulnerability/","summary":"PasswordPusher versions prior to 2.8.1 contain a client-side vulnerability (CVE-2026-59802) due to insufficient validation of URL push payloads, allowing attackers to embed malicious data URI schemes that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.","title":"CVE-2026-59802 - PasswordPusher Data URI Scheme Vulnerability Leading to Client-Side JavaScript Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-passwordpusher-data-uri-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - PasswordPusher","version":"https://jsonfeed.org/version/1.1"}