Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering
Description
Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. When Pygments returns more lines than it was given (a known upstream quirk that triggers with Ruby heredoc-style input), _pygmentize_lines() in theme/templatetags/issues.py:75-77 falls back to returning the raw input lines. mark_safe() at line 111-113 is then applied unconditionally - including to those unsanitized raw lines. Since DSN endpoints are public by Sentry protocol, no account is needed to inject. The payload sits in the database until an admin looks at the event. Successful exploitation requires that the attacker to be able to submit events to the project (i.e. knows the DSN or can access a client that uses it), the Bugsink ingest endpoint is reachable to the attacker, and an administrator explicitly views the crafted event in the UI. Under those conditions, the attacker can execute JavaScript in the administrator’s browser and act with that user’s privileges within Bugsink. Version 2.0.13 fixes the vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bugsinkPyPI | < 2.0.13 | 2.0.13 |
Affected products
1Patches
1e784d6aeb0d5Fix: escape output for pygments fallback
2 files changed · +7 −3
theme/templatetags/issues.py+1 −1 modified@@ -74,7 +74,7 @@ def _pygmentize_lines(lines, filename=None, platform=None): result = _core_pygments(code, filename=filename, platform=platform).split('\n')[:-1] if len(lines) != len(result): capture_stacktrace("Pygments line count mismatch, falling back to unformatted code") - result = lines + result = [escape(l) for l in lines] return result
theme/tests.py+6 −2 modified@@ -80,6 +80,8 @@ def test_pygmentize_lines_newline_on_otherwise_empty_line(self): self._pygmentize_lines(["\n", "\n", "\n"]) def test_pygmentize_lines_ruby_regression(self): + # deal with https://github.com/pygments/pygments/issues/2998 + # code taken from: # https://github.com/rails/rails/blob/0f969a989c87/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb code = """ # - format_type includes the column size constraint, e.g. varchar(50) @@ -91,8 +93,10 @@ def column_definitions(table_name) #:nodoc: FROM pg_attribute a LEFT JOIN pg_attrdef d""" code_as_list = code.splitlines() - actual_pygmentize_lines(code_as_list, filename="postgresql_adapter.rb", platform="ruby") - self.capture_mock.assert_called() # https://github.com/pygments/pygments/issues/2998 + result = actual_pygmentize_lines(code_as_list, filename="postgresql_adapter.rb", platform="ruby") + self.assertEqual(len(code_as_list), len(result)) + self.assertTrue("exec_query(<<-end_sql" in result[3], result[3]) + self.capture_mock.assert_called() class TestChooseLexerForPattern(RegularTestCase):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vp6q-7m36-pq3wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27614ghsaADVISORY
- github.com/bugsink/bugsink/commit/e784d6aeb0d5f29b40c2779d2544c2b9ef097ee9ghsax_refsource_MISCWEB
- github.com/bugsink/bugsink/releases/tag/2.0.13ghsax_refsource_MISCWEB
- github.com/bugsink/bugsink/security/advisories/GHSA-vp6q-7m36-pq3wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.