Critical vulnerability in Bugsinc 2026
Critical vulnerability - 02/03
Introduction
CVE-2026-27614 is a cross-site scripting (XSS) vulnerability stored in Bugsink, a self-contained bug tracking tool. An unauthenticated attacker who can send events to a project can inject arbitrary JavaScript into those events. This malicious JavaScript is stored in the database and executed when an administrator views the affected stack trace in the Bugsink web interface.
Analysis
CVE-2026-27614 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N - 9,3
The vulnerability originates in the stack trace rendering process when these are displayed in the web interface. To improve readability, Bugsink applies syntax highlighting using a specialized library. During this process, an internal function processes the stack trace lines and generates HTML code that is then inserted into the page. The problem arises when, under certain specific conditions, the library returns a different number of lines than expected, and the system activates an alternative processing path that may return content that has not been properly sanitized. Subsequently, this content is explicitly marked as safe for rendering in HTML, preventing the template engine from escaping it correctly.
As a consequence of this incorrect workflow, an attacker with access to the project's DSN can send a manipulated event containing JavaScript code embedded within the stack trace. Since DSNs are public by design, no authentication is required to send this. The malicious content is not executed upon receipt but is instead stored in the database as if it were a legitimate part of the bug. The exploit occurs when a privileged user, such as an administrator, accesses the web interface and views the affected event. At that point, the browser interprets the unsanitized content as executable code and runs the script with the privileges of the active session.
Affected versions
Bugsink versions prior to 2.0.13.
Recommendations
Update Bugsink to version 2.0.13 or higher.
Workarounds
There are no workarounds available for this vulnerability.