{"id":"CVE-2026-59802","summary":"PasswordPusher \u003c 2.8.1 - Redirect-Based XSS via data URI in URL Push Payload","details":"PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.","aliases":["GHSA-76c2-66pg-fj2f"],"modified":"2026-07-16T03:31:06.019294514Z","published":"2026-07-08T19:42:07.906Z","database_specific":{"cwe_ids":["CWE-183"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59802.json","cna_assigner":"VulnCheck"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59802.json"},{"type":"ADVISORY","url":"https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-76c2-66pg-fj2f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59802"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/passwordpusher-redirect-based-xss-via-data-uri-in-url-push-payload"},{"type":"PACKAGE","url":"https://github.com/pglombardo/PasswordPusher"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pglombardo/passwordpusher","events":[{"introduced":"0"},{"fixed":"aae8c6b697a9b3bfb8eb54e9bc3b62c64eae1fa9"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.8.1"}],"source":["AFFECTED_FIELD","DESCRIPTION"]}}],"versions":["v2.8.0","v2.7.4","v2.7.3","v2.7.2","v2.7.1","v2.7.0","v2.6.6","v2.6.5","v2.6.4","v2.6.0","v2.6.3","v2.6.2","v2.6.1","v2.5.4","v2.5.3","v2.5.2","v2.5.1","v2.5.0","v2.4.4","v2.4.3","v2.4.2","v1.69.3","v2.4.1","v2.4.0","v2.3.0","v2.2.2","v2.2.1","v2.2.0","v2.1.2","v2.1.1","v2.1.0","v2.0.4","v2.0.2","v2.0.1","v2.0.0","v2.0.0-a","v1.69.2","v1.69.1","v1.69.0","v1.68.3","v1.68.2","v1.68.1","v1.68.0","v1.67.2","v1.67.1","v1.67.0","v1.66.2","v1.66.1","stable","v1.66.0","v1.65.3","v1.65.2","v1.65.1","v1.65.0","v1.64.2","v1.64.1","v1.64.0","v1.63.6","v1.63.5","v1.63.4","v1.63.3","v1.63.2","v1.63.0","v1.63.0a","v1.62.1","v1.62.0","v1.61.1","v1.61.0","v1.60.2","v1.60.1","v1.60.0","v1.59.2","v1.59.1","v1.59.0","v1.58.6","v1.58.5","v1.58.4","v1.58.3","v1.58.2","v1.58.1","v1.58.0","v1.57.1","v1.57.0","v1.56.6","v1.56.5","v1.56.4","v1.56.3","v1.56.2","v1.56.1","v1.56.0","v1.55.0","v1.54.1","v1.54.0","v1.53.11","v1.53.10","v1.53.9","v1.53.8","v1.53.7","v1.53.6","v1.53.5","v1.53.4","v1.53.3","v1.53.2","v1.53.1","v1.53.0","v1.52.0","v1.51.13","v1.51.12","v1.51.11","v1.51.10","v1.51.9","v1.51.8","v1.51.7","v1.51.6","v1.51.5","v1.51.4","v1.51.3","v1.51.2","v1.51.1","v1.51.0","v1.50.18","v1.50.17","v1.50.16","v1.50.15","v1.50.14","v1.50.13","v1.50.12","v1.50.11","v1.50.10","v1.50.9","v1.50.8","v1.50.7","v1.50.6","v1.50.5","v1.50.4","v1.50.3","v1.50.2","v1.50.1","v1.50.0","v1.49.4","v1.49.3","v1.49.2","v1.49.1","v1.49.0","v1.48.2","v1.48.1","v1.48.0","v1.47.4","v1.47.3","v1.47.2","v1.47.1","v1.47.0","v1.46.3","v1.46.2","v1.46.1","v1.46.0","v1.45.11","v1.45.10","v1.45.9","v1.45.8","v1.45.7","v1.45.6","v1.45.5","v1.45.4","v1.45.3","v1.45.2","v1.45.1","v1.45.0","v1.44.0","v1.43.1","v1.43.0","v1.42.2","v1.42.1","v1.42.0","v1.41.15","v1.41.14","v1.41.13","v1.41.12","v1.41.11","v1.41.10","v1.41.9","v1.41.8","v1.41.7","v1.41.6","v1.41.5","v1.41.4","v1.41.3","v1.41.2","v1.41.1","v1.41.0","v1.40.15","v1.40.14","v1.40.13","v1.40.12","v1.40.11","v1.40.10","v1.40.9","v1.40.8","v1.40.7","v1.40.6","v1.40.5","v1.40.4","v1.40.3","v1.40.2","v1.40.1","v1.40.0","v1.39.9","v1.39.8","v1.39.7","v1.39.6","v1.39.5","v1.39.4","release","v1.39.3","v1.39.2","v1.39.1","v1.39.0","v1.38.1","v1.38.0","v1.37.12","v1.37.11","v1.37.10","v1.37.9","v1.37.8","v1.37.7","v1.37.6","v1.37.5","v1.37.4","v1.37.3","v1.37.2","v1.37.1","v1.37.0","v1.36.9","v1.36.8","v1.36.7","v1.36.6","v1.36.5","v1.36.4","v1.36.3","v1.36.2","v1.36.1","v1.36.0","v1.35.2","v1.35.1","v1.35.0","v1.34.5","v1.34.4","v1.34.3","v1.34.2","v1.34.1","v1.34.0","v1.33.0","v1.32.9","v1.32.8","v1.32.7","v1.32.6","v1.32.5","v1.32.4","v1.32.3","v1.32.2","v1.32.1","v1.32.0","v1.31.8","v1.31.7","v1.31.6","v1.31.5","v1.31.4","v1.31.3","v1.31.2","v1.31.1","v1.31.0","v1.30.13","v1.30.12","v1.30.11","v1.30.10","v1.30.9","v1.30.8","v1.30.7","v1.30.6","v1.30.5","v1.30.4","v1.30.3","v1.30.2","v1.30.1","v1.30.0","v1.29.3","v1.29.2","v1.29.1","v1.29.0","v1.28.14","v1.28.13","v1.28.12","v1.28.11","v1.28.10","v1.28.9","v1.28.8","v1.28.7","v1.28.6","v1.28.5","v1.28.4","v1.28.3","v1.28.2","v1.28.2.rc2","v1.28.2.rc1","v1.28.1","v1.28.0","v1.27.0","v1.26.18","v1.26.17","v1.26.16","v1.26.15","v1.26.14","v1.26.13","v1.26.12","v1.26.11","v1.26.10","v1.26.9","v1.26.8","v1.26.7","v1.26.6","v1.26.5","v1.26.4","v1.26.3","v1.26.2","v1.26.1","v1.26.0","v1.25.8","v1.25.7","v1.25.6","v1.25.5","v1.25.4","v1.25.3","v1.25.2","v1.25.1","v1.25.0","v1.24.8","v1.24.7","v1.24.6","v1.24.5","v1.24.4","v1.24.3","v1.24.2","v1.24.1","v1.24.0","v1.23.10","v1.23.9","v1.23.8","v1.23.7","v1.23.6","v1.23.5","v1.23.4","v1.23.3","v1.23.2","v1.23.1","v1.23.0","v1.22.3","v1.22.2","v1.22.1","v1.22.0","v1.21.0","v1.20.7","v1.20.6","v1.20.5","v1.20.4","v1.20.3","v1.20.2","v1.20.1","v1.20.0","v1.19.1","v1.19.0","v1.18.0","v1.17.15","v1.17.14","v1.17.13","v1.17.12","v1.17.11","v1.17.10","v1.17.9","v1.17.8","v1.17.7","v1.17.6","v1.17.5","v1.17.4","v1.17.3","v1.17.2","v1.17.1","v1.17.0","v1.16.1","v1.16.0","v1.15.1","v1.15.0","v1.14.3","v1.14.2","v1.14.1","v1.14.0","v1.13.0","v1.12.0","v1.11.12","v1.11.11","v1.11.10","v1.11.9","v1.11.8.1","v1.11.8","v1.11.7","v1.11.6","v1.11.5","v1.11.4","v1.11.3","v1.11.2","v1.11.1","v1.11.0","v1.10.4","v1.10.3","v1.10.2","v1.10.1","v1.10.0","v1.9.1","v1.9.0","v1.8.0","v1.7.0","v1.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59802.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"}]}