Bugsink
Products
1- Bugsink9 CVEspypi
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40162 | Hig | 0.46 | 7.1 | 0.00 | Apr 10, 2026 | Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a… | ||
| CVE-2025-64509 | Hig | 0.42 | 7.5 | 0.00 | Nov 10, 2025 | Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common… | ||
| CVE-2025-54433 | Hig | 0.40 | — | 0.01 | Jul 30, 2025 | Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can… | ||
| CVE-2026-47728 | Med | 0.21 | 4.3 | 0.00 | May 26, 2026 | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in… | ||
| CVE-2026-44502 | Med | 0.21 | 4.3 | 0.00 | May 26, 2026 | Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request… | ||
| CVE-2026-47716 | Low | 0.13 | 3.1 | 0.00 | May 26, 2026 | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that… | ||
| CVE-2026-47715 | Low | 0.13 | 3.1 | 0.00 | May 26, 2026 | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary… | ||
| CVE-2026-53954 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary In affected versions, Bugsink stores every tag supplied with an incoming event. An event with an unusually large number of custom (i.e. supplied by an attacker) tags can therefore make ingestion spend more time than intended writing tag rows. Bugsink uses a… | |||
| CVE-2026-27614 | 0.00 | — | 0.00 | Feb 25, 2026 | Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web… |
- risk 0.46cvss 7.1epss 0.00
Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a…
- risk 0.42cvss 7.5epss 0.00
Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common…
- risk 0.40cvss —epss 0.01
Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can…
- risk 0.21cvss 4.3epss 0.00
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in…
- risk 0.21cvss 4.3epss 0.00
Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request…
- risk 0.13cvss 3.1epss 0.00
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that…
- risk 0.13cvss 3.1epss 0.00
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary…
- CVE-2026-53954Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary In affected versions, Bugsink stores every tag supplied with an incoming event. An event with an unusually large number of custom (i.e. supplied by an attacker) tags can therefore make ingestion spend more time than intended writing tag rows. Bugsink uses a…
- CVE-2026-27614Feb 25, 2026risk 0.00cvss —epss 0.00
Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web…