Platform
python
Component
bugsink
Fixed in
2.0.14
2.0.13
CVE-2026-27614 describes a critical Cross-Site Scripting (XSS) vulnerability affecting Bugsink projects. An unauthenticated attacker can inject malicious JavaScript code into event submissions, which then executes when a user views the affected Stacktrace in the web UI. This vulnerability impacts versions of Bugsink up to and including 2.0.9. A fix is available in version 2.0.13.
Successful exploitation of CVE-2026-27614 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, and defacement of the Bugsink web interface. The attacker does not need authentication to inject the payload, making the vulnerability particularly concerning. The execution is triggered when a user views the affected Stacktrace, meaning targeted users are at the highest risk. The vulnerability stems from a combination of an upstream quirk in Pygments and the unconditional application of mark_safe() to potentially unsanitized raw lines.
CVE-2026-27614 was publicly disclosed on 2026-02-25. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests that a PoC is likely to emerge. It is not currently listed on CISA KEV, and no confirmed exploitation campaigns are known. The vulnerability's CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation if left unpatched.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27614 is to upgrade Bugsink to version 2.0.13 or later, which contains the necessary fix. If upgrading immediately is not possible, consider implementing a temporary workaround by carefully sanitizing all user-supplied input before it is processed by the pygmentizelines() function. While a WAF might offer some protection, it's unlikely to be effective against this type of XSS without specific rules tailored to the Bugsink codebase. After upgrading, confirm the fix by attempting to submit an event with a simple JavaScript payload and verifying that it does not execute when viewing the Stacktrace.
Update Bugsink to version 2.0.13 or higher. This version fixes the stored XSS vulnerability by correctly sanitizing raw input lines in stacktrace rendering.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27614 is a critical XSS vulnerability in Bugsink projects where an attacker can inject JavaScript via event submissions.
You are affected if you are using Bugsink versions 2.0.9 or earlier. Upgrade to 2.0.13 to resolve the issue.
Upgrade Bugsink to version 2.0.13 or later. As a temporary workaround, sanitize all user-supplied input before processing.
No confirmed exploitation campaigns are currently known, but the vulnerability's severity suggests potential for exploitation.
Refer to the Bugsink project's release notes and security advisories on their official website or GitHub repository.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.