CVE-2026-27614

Name of the Vulnerable Software and Affected Versions Bugsink versions prior to 2.0.13

Description Bugsink is a self-hosted error tracking tool affected by a stored cross-site scripting (XSS) issue. An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. This payload executes when a user views the affected Stacktrace in the web UI. The issue occurs because the pygmentize lines() function in theme/templatetags/issues.py:75-77 falls back to returning raw input lines when Pygments returns more lines than expected, and mark safe() is then applied unconditionally to these unsanitized lines. Since Data Source Name (DSN) endpoints are public, no account is needed to inject the payload. Successful exploitation requires the attacker to submit events to the project and an administrator to view the crafted event in the UI, allowing the attacker to execute JavaScript in the administrator’s browser and act with their privileges within Bugsink.

Recommendations Update Bugsink to version 2.0.13 or later.