CVE-2026-27614
Stored XSS in Bugsink Event Submission Allows Admin Browser Hijack
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bugsink | bugsink | to 2.0.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27614 is a stored Cross-Site Scripting (XSS) vulnerability in Bugsink, a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can inject arbitrary JavaScript code into an event's stacktrace."}, {'type': 'paragraph', 'content': 'This happens because when the Pygments syntax highlighter fails to process code lines correctly (triggered by Ruby heredoc-style input), Bugsink falls back to returning raw, unescaped input lines. These lines are then marked as safe HTML without sanitization, allowing malicious scripts to be stored.'}, {'type': 'paragraph', 'content': "The injected JavaScript payload executes only when an administrator or user explicitly views the affected stacktrace in the Bugsink web UI, enabling the attacker to run scripts in the administrator's browser with their privileges."}, {'type': 'paragraph', 'content': 'Exploitation requires the attacker to know or access the public DSN endpoint to submit events and for an admin to view the crafted event. The vulnerability was fixed in Bugsink version 2.0.13 by escaping output in the Pygments fallback mechanism.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to execute arbitrary JavaScript code in the browser of an administrator who views a maliciously crafted event in Bugsink.'}, {'type': 'paragraph', 'content': "As a result, the attacker can act with the administrator's privileges within Bugsink, potentially leading to unauthorized actions, data theft, or further compromise of the system."}, {'type': 'paragraph', 'content': 'Since the attack requires no authentication to submit events (due to public DSN endpoints), it poses a significant risk if an attacker can access the Bugsink ingest endpoint and an admin views the injected event.'}] [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability can be aided by monitoring for diagnostic events indicating issues with Pygments syntax highlighting. Specifically, look for the message: "Pygments line count mismatch, falling back to unformatted code." This message may appear in logs or diagnostic outputs when the fallback mechanism is triggered due to a mismatch in line counts, which is a known upstream quirk triggered by Ruby heredoc-style input.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves submission of crafted events to the Bugsink ingest endpoint, monitoring network traffic for unusual or unexpected Sentry event submissions to the Bugsink API endpoint `/api/<project-id>/store/` can help detect potential exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Review Bugsink logs or diagnostic outputs for the "Pygments line count mismatch" message.'}, {'type': 'list_item', 'content': 'Monitor HTTP requests to the Bugsink ingest endpoint for suspicious or unexpected event submissions.'}, {'type': 'list_item', 'content': 'Audit events submitted to Bugsink projects for unusual stacktrace frames, especially those containing Ruby heredoc-style input or suspicious JavaScript payloads.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Bugsink to version 2.0.13 or later, where this vulnerability has been fixed.
Version 2.0.13 includes a security fix that escapes output in the Pygments fallback mechanism, preventing arbitrary JavaScript injection when viewing stacktraces.
Until the upgrade is applied, restrict access to the Bugsink ingest endpoint and limit who can view stacktrace events in the web UI to reduce the risk of exploitation.