CVE-2026-27614
Published: 25 February 2026
Summary
CVE-2026-27614 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Bugsink Bugsink. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly addressing the pygments quirk and unconditional mark_safe() application that enables stored XSS in Bugsink events.
SI-15 filters information outputs like stacktraces in the web UI, preventing execution of injected JavaScript when administrators view affected events.
SI-10 validates event inputs submitted via the public DSN endpoint, reducing the risk of storing malicious JavaScript payloads exploiting the pygments quirk.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via unauthenticated public DSN ingest endpoint (T1190) directly enables storage and subsequent browser execution of arbitrary JavaScript payload (T1059.007) when admin views the stacktrace, achieving high-impact admin session compromise.
NVD Description
Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the…
more
affected Stacktrace in the web UI. When Pygments returns more lines than it was given (a known upstream quirk that triggers with Ruby heredoc-style input), `_pygmentize_lines()` in `theme/templatetags/issues.py:75-77` falls back to returning the raw input lines. `mark_safe()` at line 111-113 is then applied unconditionally - including to those unsanitized raw lines. Since DSN endpoints are public by Sentry protocol, no account is needed to inject. The payload sits in the database until an admin looks at the event. Successful exploitation requires that the attacker to be able to submit events to the project (i.e. knows the DSN or can access a client that uses it), the Bugsink ingest endpoint is reachable to the attacker, and an administrator explicitly views the crafted event in the UI. Under those conditions, the attacker can execute JavaScript in the administrator’s browser and act with that user’s privileges within Bugsink. Version 2.0.13 fixes the vulnerability.
Deeper analysisAI
CVE-2026-27614 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Bugsink, a self-hosted error tracking tool, affecting versions prior to 2.0.13. The flaw occurs in the `_pygmentize_lines()` function in `theme/templatetags/issues.py` at lines 75-77, where a known quirk in Pygments causes it to return more lines than provided—particularly with Ruby heredoc-style input—leading to raw, unsanitized input lines. These lines are then passed unconditionally to `mark_safe()` at lines 111-113, allowing arbitrary JavaScript storage in an event submitted via a public DSN endpoint.
An unauthenticated attacker who can submit events to a Bugsink project—by knowing the DSN or accessing a client that uses it, and with the ingest endpoint reachable—can inject the JavaScript payload into the database. The payload executes only if an administrator explicitly views the affected Stacktrace in the web UI. Successful exploitation enables the attacker to run JavaScript in the administrator's browser, acting with that user's privileges within Bugsink. The CVSS v3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).
Bugsink version 2.0.13 addresses the vulnerability. Mitigation details are provided in the GitHub security advisory (GHSA-vp6q-7m36-pq3w), the release notes for version 2.0.13, and the fixing commit (e784d6aeb0d5f29b40c2779d2544c2b9ef097ee9).
Details
- CWE(s)