Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
9 vulnerabilities by bugsink
CVE-2026-47716 (GCVE-0-2026-47716)
Vulnerability from cvelistv5 – Published: 2026-05-26 16:23 – Updated: 2026-05-27 13:45
VLAI
Title
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
Summary
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This vulnerability is fixed in 2.2.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
| https://github.com/bugsink/bugsink/releases/tag/2.2.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:45:21.297727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:45:33.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This vulnerability is fixed in 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:23:34.591Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-g5vc-q7qc-v939",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-g5vc-q7qc-v939"
},
{
"name": "https://github.com/bugsink/bugsink/releases/tag/2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
}
],
"source": {
"advisory": "GHSA-g5vc-q7qc-v939",
"discovery": "UNKNOWN"
},
"title": "Bugsink: Issue bulk actions can affect another project\u2019s issue if its UUID is known"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47716",
"datePublished": "2026-05-26T16:23:34.591Z",
"dateReserved": "2026-05-19T21:29:25.482Z",
"dateUpdated": "2026-05-27T13:45:33.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47715 (GCVE-0-2026-47715)
Vulnerability from cvelistv5 – Published: 2026-05-26 16:22 – Updated: 2026-05-28 13:59
VLAI
Title
Bugsink: Issue event views can show an event from another project if its UUID is known
Summary
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. The affected views include the stacktrace, details, and breadcrumbs pages for an issue event. This vulnerability is fixed in 2.2.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
| https://github.com/bugsink/bugsink/releases/tag/2.2.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T13:59:21.290243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T13:59:29.137Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view another project\u2019s event data through an issue they are allowed to access. The affected views include the stacktrace, details, and breadcrumbs pages for an issue event. This vulnerability is fixed in 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:22:23.720Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-vx2f-6m6h-9frf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-vx2f-6m6h-9frf"
},
{
"name": "https://github.com/bugsink/bugsink/releases/tag/2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
}
],
"source": {
"advisory": "GHSA-vx2f-6m6h-9frf",
"discovery": "UNKNOWN"
},
"title": "Bugsink: Issue event views can show an event from another project if its UUID is known"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47715",
"datePublished": "2026-05-26T16:22:23.720Z",
"dateReserved": "2026-05-19T21:29:25.482Z",
"dateUpdated": "2026-05-28T13:59:29.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47728 (GCVE-0-2026-47728)
Vulnerability from cvelistv5 – Published: 2026-05-26 16:16 – Updated: 2026-05-26 17:31
VLAI
Title
Bugsink: Project scoping missing in sourcemap and debug-file lookup
Summary
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
| https://github.com/bugsink/bugsink/releases/tag/2.2.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T17:25:58.254467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:31:41.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:16:10.858Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-5389-f7vh-wxj8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-5389-f7vh-wxj8"
},
{
"name": "https://github.com/bugsink/bugsink/releases/tag/2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
}
],
"source": {
"advisory": "GHSA-5389-f7vh-wxj8",
"discovery": "UNKNOWN"
},
"title": "Bugsink: Project scoping missing in sourcemap and debug-file lookup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47728",
"datePublished": "2026-05-26T16:16:10.858Z",
"dateReserved": "2026-05-19T21:29:25.483Z",
"dateUpdated": "2026-05-26T17:31:41.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44502 (GCVE-0-2026-44502)
Vulnerability from cvelistv5 – Published: 2026-05-26 16:13 – Updated: 2026-05-27 17:21
VLAI
Title
Bugsink: SSRF bypass in `validate_webhook_url`
Summary
Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
| https://github.com/bugsink/bugsink/commit/940d2df… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/releases/tag/2.1.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T17:21:30.414936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T17:21:38.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink\u2019s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python\u2019s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:13:32.350Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-fp53-qcf8-2xx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-fp53-qcf8-2xx2"
},
{
"name": "https://github.com/bugsink/bugsink/commit/940d2df635e06803ef658666d734306942db5cc7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/940d2df635e06803ef658666d734306942db5cc7"
},
{
"name": "https://github.com/bugsink/bugsink/releases/tag/2.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/releases/tag/2.1.3"
}
],
"source": {
"advisory": "GHSA-fp53-qcf8-2xx2",
"discovery": "UNKNOWN"
},
"title": "Bugsink: SSRF bypass in `validate_webhook_url`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44502",
"datePublished": "2026-05-26T16:13:32.350Z",
"dateReserved": "2026-05-06T18:28:20.886Z",
"dateUpdated": "2026-05-27T17:21:38.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40162 (GCVE-0-2026-40162)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:02 – Updated: 2026-04-10 18:30
VLAI
Title
Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble
Summary
Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
| https://github.com/bugsink/bugsink/releases/tag/2.1.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T18:30:36.608268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:30:44.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:02:58.985Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g"
},
{
"name": "https://github.com/bugsink/bugsink/releases/tag/2.1.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/releases/tag/2.1.1"
}
],
"source": {
"advisory": "GHSA-8hw4-fhww-273g",
"discovery": "UNKNOWN"
},
"title": "Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40162",
"datePublished": "2026-04-10T17:02:58.985Z",
"dateReserved": "2026-04-09T19:31:56.014Z",
"dateUpdated": "2026-04-10T18:30:44.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27614 (GCVE-0-2026-27614)
Vulnerability from cvelistv5 – Published: 2026-02-25 02:31 – Updated: 2026-02-25 20:01
VLAI
Title
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering
Summary
Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. When Pygments returns more lines than it was given (a known upstream quirk that triggers with Ruby heredoc-style input), `_pygmentize_lines()` in `theme/templatetags/issues.py:75-77` falls back to returning the raw input lines. `mark_safe()` at line 111-113 is then applied unconditionally - including to those unsanitized raw lines. Since DSN endpoints are public by Sentry protocol, no account is needed to inject. The payload sits in the database until an admin looks at the event. Successful exploitation requires that the attacker to be able to submit events to the project (i.e. knows the DSN or can access a client that uses it), the Bugsink ingest endpoint is reachable to the attacker, and an administrator explicitly views the crafted event in the UI. Under those conditions, the attacker can execute JavaScript in the administrator’s browser and act with that user’s privileges within Bugsink. Version 2.0.13 fixes the vulnerability.
Severity
9.3 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
| https://github.com/bugsink/bugsink/commit/e784d6a… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/releases/tag/2.0.13 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27614",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T20:01:19.421972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T20:01:45.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. When Pygments returns more lines than it was given (a known upstream quirk that triggers with Ruby heredoc-style input), `_pygmentize_lines()` in `theme/templatetags/issues.py:75-77` falls back to returning the raw input lines. `mark_safe()` at line 111-113 is then applied unconditionally - including to those unsanitized raw lines. Since DSN endpoints are public by Sentry protocol, no account is needed to inject. The payload sits in the database until an admin looks at the event. Successful exploitation requires that the attacker to be able to submit events to the project (i.e. knows the DSN or can access a client that uses it), the Bugsink ingest endpoint is reachable to the attacker, and an administrator explicitly views the crafted event in the UI. Under those conditions, the attacker can execute JavaScript in the administrator\u2019s browser and act with that user\u2019s privileges within Bugsink. Version 2.0.13 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:31:17.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-vp6q-7m36-pq3w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-vp6q-7m36-pq3w"
},
{
"name": "https://github.com/bugsink/bugsink/commit/e784d6aeb0d5f29b40c2779d2544c2b9ef097ee9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/e784d6aeb0d5f29b40c2779d2544c2b9ef097ee9"
},
{
"name": "https://github.com/bugsink/bugsink/releases/tag/2.0.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/releases/tag/2.0.13"
}
],
"source": {
"advisory": "GHSA-vp6q-7m36-pq3w",
"discovery": "UNKNOWN"
},
"title": "Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27614",
"datePublished": "2026-02-25T02:31:17.880Z",
"dateReserved": "2026-02-20T19:43:14.603Z",
"dateUpdated": "2026-02-25T20:01:45.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64509 (GCVE-0-2025-64509)
Vulnerability from cvelistv5 – Published: 2025-11-10 21:46 – Updated: 2025-11-12 20:14
VLAI
Title
Bugsink vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)
Summary
Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink 2.0.6. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-fc2v-vcwj-269v/CVE-2025-64508.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:35:31.888722Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:14:08.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink 2.0.6. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-fc2v-vcwj-269v/CVE-2025-64508."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:46:11.117Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h"
}
],
"source": {
"advisory": "GHSA-rrx3-2x4g-mq2h",
"discovery": "UNKNOWN"
},
"title": "Bugsink vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64509",
"datePublished": "2025-11-10T21:46:11.117Z",
"dateReserved": "2025-11-05T21:15:39.399Z",
"dateUpdated": "2025-11-12T20:14:08.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64508 (GCVE-0-2025-64508)
Vulnerability from cvelistv5 – Published: 2025-11-10 21:44 – Updated: 2025-11-12 20:14
VLAI
Title
Bugsink vulnerable to unauthenticated remote DoS via crafted Brotli input
Summary
Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.5, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server will attempt to decompress these streams before applying various maximums, this can lead to exhaustion of the available memory and thus a Denial of Service. This can be done if the `DSN` is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink version `2.0.5`. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-rrx3-2x4g-mq2h/CVE-2025-64509.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
| https://github.com/google/brotli/issues/1327 | x_refsource_MISC |
| https://github.com/google/brotli/issues/1375 | x_refsource_MISC |
| https://github.com/bugsink/bugsink/pull/266 | x_refsource_MISC |
| https://github.com/google/brotli/pull/1234 | x_refsource_MISC |
| https://github.com/bugsink/bugsink/commit/3f65544… | x_refsource_MISC |
| https://github.com/google/brotli/commit/67d78bc41… | x_refsource_MISC |
| https://github.com/google/brotli/releases/tag/v1.2.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64508",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:35:49.679099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:14:15.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.5, brotli \"bombs\" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server will attempt to decompress these streams before applying various maximums, this can lead to exhaustion of the available memory and thus a Denial of Service. This can be done if the `DSN` is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink version `2.0.5`. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-rrx3-2x4g-mq2h/CVE-2025-64509."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:46:34.117Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v"
},
{
"name": "https://github.com/google/brotli/issues/1327",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/google/brotli/issues/1327"
},
{
"name": "https://github.com/google/brotli/issues/1375",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/google/brotli/issues/1375"
},
{
"name": "https://github.com/bugsink/bugsink/pull/266",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/pull/266"
},
{
"name": "https://github.com/google/brotli/pull/1234",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/google/brotli/pull/1234"
},
{
"name": "https://github.com/bugsink/bugsink/commit/3f65544aab3ad5303d97009136640de97b0676a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/3f65544aab3ad5303d97009136640de97b0676a5"
},
{
"name": "https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627"
},
{
"name": "https://github.com/google/brotli/releases/tag/v1.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/google/brotli/releases/tag/v1.2.0"
}
],
"source": {
"advisory": "GHSA-fc2v-vcwj-269v",
"discovery": "UNKNOWN"
},
"title": "Bugsink vulnerable to unauthenticated remote DoS via crafted Brotli input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64508",
"datePublished": "2025-11-10T21:44:24.832Z",
"dateReserved": "2025-11-05T21:15:39.399Z",
"dateUpdated": "2025-11-12T20:14:15.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54433 (GCVE-0-2025-54433)
Vulnerability from cvelistv5 – Published: 2025-07-30 14:29 – Updated: 2025-07-30 14:46
VLAI
Title
Bugsink is vulnerable to Path Traversal attacks via event_id in ingestion
Summary
Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/bugsink/bugsink/security/advis… | x_refsource_CONFIRM |
| https://github.com/bugsink/bugsink/commit/1001726… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/commit/211ddf7… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/commit/2c41fbe… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/commit/53cf1a1… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/commit/55a1550… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/commit/b94aa8a… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/commit/c341687… | x_refsource_MISC |
| https://github.com/bugsink/bugsink/commit/c87217b… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T14:46:38.151753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T14:46:51.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bugsink",
"vendor": "bugsink",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c 1.7.4"
},
{
"status": "affected",
"version": "\u003e= 1.6.0, \u003c 1.6.4"
},
{
"status": "affected",
"version": "\u003e= 1.5.0, \u003c 1.5.5"
},
{
"status": "affected",
"version": "\u003c 1.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container\u2019s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T14:29:03.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-q78p-g86f-jg6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-q78p-g86f-jg6q"
},
{
"name": "https://github.com/bugsink/bugsink/commit/1001726f4389e982c486cdd5fa81941cb46cfc33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/1001726f4389e982c486cdd5fa81941cb46cfc33"
},
{
"name": "https://github.com/bugsink/bugsink/commit/211ddf76758c808c095b5f836c363f148d934d21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/211ddf76758c808c095b5f836c363f148d934d21"
},
{
"name": "https://github.com/bugsink/bugsink/commit/2c41fbe3881bdea83399a7f9fdc8cff198ae089f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/2c41fbe3881bdea83399a7f9fdc8cff198ae089f"
},
{
"name": "https://github.com/bugsink/bugsink/commit/53cf1a17a3e96f7c83c7451fd56f980a09d0c9b0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/53cf1a17a3e96f7c83c7451fd56f980a09d0c9b0"
},
{
"name": "https://github.com/bugsink/bugsink/commit/55a155003d0b416ea008c5e7dcde85130ad21d9b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/55a155003d0b416ea008c5e7dcde85130ad21d9b"
},
{
"name": "https://github.com/bugsink/bugsink/commit/b94aa8a5c96ce8cdd9711b6beb4e518264993ac2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/b94aa8a5c96ce8cdd9711b6beb4e518264993ac2"
},
{
"name": "https://github.com/bugsink/bugsink/commit/c341687bd655543730c812db35c29199f788be6b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/c341687bd655543730c812db35c29199f788be6b"
},
{
"name": "https://github.com/bugsink/bugsink/commit/c87217bd565122ba70af90436e3ab2cd9bee658f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bugsink/bugsink/commit/c87217bd565122ba70af90436e3ab2cd9bee658f"
}
],
"source": {
"advisory": "GHSA-q78p-g86f-jg6q",
"discovery": "UNKNOWN"
},
"title": "Bugsink is vulnerable to Path Traversal attacks via event_id in ingestion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54433",
"datePublished": "2025-07-30T14:29:03.510Z",
"dateReserved": "2025-07-21T23:18:10.282Z",
"dateUpdated": "2025-07-30T14:46:51.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}