Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-61458— PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint

CVSS 7.5 · High EPSS 0.30% · P22

Affected Version Matrix 2

VendorProductVersion RangeStatus
pglombardoPasswordPusher< 2.9.2affected
2.9.2unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-61458

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
过多认证尝试的限制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
pglombardo PasswordPusher 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pglombardo PasswordPusher是pglombardo的密码推送工具。 pglombardo PasswordPusher 2.9.2之前版本存在授权问题漏洞,该漏洞源于POST /p/:token/access端点缺少路由特定的速率限制和每次推送锁定机制,可能导致知道推送令牌的攻击者系统性地猜测口令,每小时最多120次尝试,而不会触发任何推送级别的防御,使得短口令或基于字典的口令在数小时或数天内可被实际恢复。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
pglombardoPasswordPusher 0 ~ 2.9.2 -

II. Public POCs for CVE-2026-61458

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-61458

登录查看更多情报信息。

Vendor Advisories for CVE-2026-61458 (2)

IV. Related Vulnerabilities

V. Comments for CVE-2026-61458

No comments yet


Leave a comment