PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days.
{
"cwe_ids": [
"CWE-307"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/61xxx/CVE-2026-61458.json",
"cna_assigner": "VulnCheck"
}