PT-2026-43307 · Bugsink · Bugsink

Shuluzhuo

·

Published

2026-05-26

·

Updated

2026-06-08

·

CVE-2026-47728

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Bugsink versions prior to 2.2.0
Description Bugsink is a self-hosted error tracking tool that resolved sourcemaps and debug files by debug ID without scoping the lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing to use sourcemap or debug-file metadata uploaded for another project within the same instance if the same debug ID was referenced. This could lead to the disclosure of source context or symbolication-derived context from other projects. For minidumps and debug files, this issue requires the experimental FEATURE MINIDUMPS to be enabled.
Recommendations Update to version 2.2.0. After upgrading, upload sourcemaps and debug files with project information. Run the command bugsink-manage delete legacy sourcemaps after upgrading to remove legacy projectless sourcemap metadata.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47728
GHSA-5389-F7VH-WXJ8

Affected Products

Bugsink