Stored JavaScript Vulnerability in Bugsink Error Tracking Tool
CVE-2026-27614

9.3CRITICAL

Key Information:

Vendor

Bugsink

Status
Bugsink
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27614?

The Bugsink error tracking tool prior to version 2.0.13 has a stored cross-site scripting (XSS) vulnerability allowing unauthenticated attackers to inject arbitrary JavaScript into events submitted to a Bugsink project. This occurs due to improper handling of input data when viewed in the web UI. If an administrator examines the affected stack trace, the malicious script can execute in the administrator's browser, potentially leading to unauthorized actions under their privileges. The vulnerability arises from the mismanagement of event submissions, as the public DSN endpoints enable attackers to craft and store harmful scripts if they have access to the project. Version 2.0.13 addresses this issue, reinforcing the importance of keeping software up to date.

Affected Version(s)

bugsink < 2.0.13

References

https://github.com/bugsink/bugsink/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/bugsink/bugsink/commit/e784d6aeb0d5f29...
x_refsource_MISC
https://github.com/bugsink/bugsink/releases/tag/2.0.13
x_refsource_MISC

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.