CVE-2026-44502
Description
Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bugsinkPyPI | < 2.1.3 | 2.1.3 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-fp53-qcf8-2xx2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44502ghsaADVISORY
- github.com/bugsink/bugsink/commit/940d2df635e06803ef658666d734306942db5cc7nvdWEB
- github.com/bugsink/bugsink/releases/tag/2.1.3nvdWEB
- github.com/bugsink/bugsink/security/advisories/GHSA-fp53-qcf8-2xx2nvdWEB
News mentions
0No linked articles in our index yet.