<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PasswordPusher - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/passwordpusher/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 20:18:02 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/passwordpusher/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-59802 - PasswordPusher Data URI Scheme Vulnerability Leading to Client-Side JavaScript Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-passwordpusher-data-uri-vulnerability/</link><pubDate>Wed, 08 Jul 2026 20:18:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-passwordpusher-data-uri-vulnerability/</guid><description>PasswordPusher versions prior to 2.8.1 contain a client-side vulnerability (CVE-2026-59802) due to insufficient validation of URL push payloads, allowing attackers to embed malicious data URI schemes that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-59802, has been identified in PasswordPusher versions prior to 2.8.1. This flaw stems from insufficient validation within the application's <code>valid_url</code> function, which incorrectly permits <code>data:</code> URI schemes in URL push payloads. Attackers can leverage this by crafting malicious pushes containing <code>data:text/html</code> URIs that, when clicked by a victim, execute arbitrary JavaScript code within their web browser. This client-side execution occurs under the trusted PasswordPusher domain, creating a highly effective vector for sophisticated phishing attacks, credential theft, and potential session hijacking. The vulnerability poses a significant risk to user data integrity and confidentiality, emphasizing the need for immediate patching for all affected deployments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious URL payload utilizing the <code>data:</code> URI scheme (e.g., <code>data:text/html,&lt;script&gt;malicious_javascript_code_here&lt;/script&gt;</code>).</li>
<li>Attacker creates a PasswordPusher &quot;push&quot; (message or URL entry) and embeds the malicious <code>data:</code> URI into it.</li>
<li>The attacker delivers this crafted malicious push to a target victim through legitimate PasswordPusher functionality.</li>
<li>The victim accesses the received push message within the PasswordPusher application's web interface.</li>
<li>The victim, perceiving a legitimate link from a trusted source, clicks on the displayed malicious <code>data:</code> URI.</li>
<li>Due to the insufficient validation in PasswordPusher's <code>valid_url</code> function (CVE-2026-59802), the application fails to properly sanitize or block the <code>data:</code> URI.</li>
<li>The victim's web browser then navigates to the <code>data:</code> URI, and the embedded arbitrary JavaScript executes within the security context of the PasswordPusher domain.</li>
<li>The executed JavaScript proceeds to perform malicious actions such as displaying deceptive login forms (phishing), capturing user input, or exfiltrating session cookies and other sensitive information, leading to credential theft.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-59802 could lead to significant data breaches and financial losses for individual users and organizations relying on PasswordPusher. Victims are susceptible to sophisticated phishing attacks where their credentials (passwords, tokens) are stolen due to JavaScript executing in a trusted domain context. This bypasses standard phishing defenses and can result in unauthorized access to other systems. The integrity of shared secrets is compromised, leading to a cascade of potential security incidents across an organization. While specific victim counts are not yet reported, any user interacting with a vulnerable PasswordPusher instance is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade PasswordPusher to version 2.8.1 or later immediately to address CVE-2026-59802.</li>
<li>Educate users about the dangers of clicking unfamiliar links, especially those using <code>data:</code> URI schemes, even if they appear within a trusted application interface.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>web-application</category><category>client-side</category><category>javascript</category><category>credential-theft</category><category>phishing</category></item></channel></rss>