CVE-2026-40162

High

Published: 10 April 2026

Published

10 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

EPSS Score 0.0013 31.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40162 is a high-severity Improper Input Validation (CWE-20) vulnerability in Bugsink Bugsink. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper input validation (CWE-20) in the artifact bundle assembly flow that allows attacker-controlled content to be written to process-writable filesystem paths.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation by patching Bugsink to version 2.1.1, eliminating the specific authenticated file write vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the Bugsink process to restrict writable filesystem locations, limiting the scope of potential arbitrary file writes.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Authenticated arbitrary file write directly enables ingress of attacker-controlled files (T1105) and deployment of web shells via server software component modification (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content…

to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1.

Deeper analysisAI

CVE-2026-40162 is an authenticated file write vulnerability (CWE-20) in Bugsink version 2.1.0, a self-hosted error tracking tool. The flaw exists in the artifact bundle assembly flow, where the application can be induced to write attacker-controlled content to a filesystem location writable by the Bugsink process. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) and was published on 2026-04-10.

An attacker with a valid authentication token, requiring low privileges (PR:L), can exploit this remotely over the network with low complexity and no user interaction. Successful exploitation allows the attacker to write arbitrary content to process-writable filesystem paths, potentially enabling integrity violations such as overwriting configuration files or injecting malicious data, alongside limited availability impact.

The vulnerability is fixed in Bugsink version 2.1.1. Additional details are available in the GitHub security advisory at https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g and the release notes at https://github.com/bugsink/bugsink/releases/tag/2.1.1.