CVE-2026-44502

Name of the Vulnerable Software and Affected Versions Bugsink versions prior to 2.1.3

Description A mismatch in URL parsing allows the bypass of webhook URL validation. The system used Python's urllib.parse.urlparse for validation but requests.post to send the request. For malformed inputs containing backslashes and @, these components may disagree on the target hostname. This allows a URL to appear as an allowlisted public hostname during validation while the HTTP client connects to a different host, such as loopback, private, or non-allowlisted destinations. This results in a Server-Side Request Forgery (SSRF), where the server is induced to make an unintended outbound HTTP POST request.

Recommendations Update to version 2.1.3. Restrict permissions for users who can configure or modify webhook URLs. Review existing webhook configurations for malformed or unusual URLs. Implement a tightly controlled outbound network policy at the deployment level.