PatchSiren cyber security CVE debrief
CVE-2026-41308 pglombardo CVE debrief
CVE-2026-41308 is a security issue in OSS PasswordPusher that allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. The issue has been patched in versions 1.69.3 and 2.4.2.
- Vendor
- pglombardo
- Product
- PasswordPusher
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-06-05
Who should care
Users of Password Pusher versions prior to 1.69.3 and 2.4.2 should update to the latest version to prevent unauthenticated file push creation.
Technical summary
The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The weakness is classified as CWE-288.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to Password Pusher version 1.69.3 or 2.4.2 or later.
- Review and restrict access to the JSON API create path.
Evidence notes
Evidence from NVD and GitHub security advisories.
Official resources
-
CVE-2026-41308 CVE record
CVE.org
-
CVE-2026-41308 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41308 was published on 2026-05-08T15:16:39.480Z and modified on 2026-06-05T00:26:18.943Z.