PT-2026-43307 · Bugsink · Bugsink
Shuluzhuo
·
Published
2026-05-26
·
Updated
2026-06-08
·
CVE-2026-47728
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Bugsink versions prior to 2.2.0
Description
Bugsink is a self-hosted error tracking tool that resolved sourcemaps and debug files by debug ID without scoping the lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing to use sourcemap or debug-file metadata uploaded for another project within the same instance if the same debug ID was referenced. This could lead to the disclosure of source context or symbolication-derived context from other projects. For minidumps and debug files, this issue requires the experimental
FEATURE MINIDUMPS to be enabled.Recommendations
Update to version 2.2.0.
After upgrading, upload sourcemaps and debug files with project information.
Run the command
bugsink-manage delete legacy sourcemaps after upgrading to remove legacy projectless sourcemap metadata.Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bugsink