Cyber Resilience

CVE-2026-40162

High

Published: 10 April 2026

Published
10 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0014 34.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40162 is a high-severity Improper Input Validation (CWE-20) vulnerability in Bugsink Bugsink. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40162 is an authenticated file write vulnerability (CWE-20) in Bugsink version 2.1.0, a self-hosted error tracking tool. The flaw exists in the artifact bundle assembly flow, where the application can be induced to write attacker-controlled content to a filesystem location writable by the Bugsink process. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) and was published on 2026-04-10.

An attacker with a valid authentication token, requiring low privileges (PR:L), can exploit this remotely over the network with low complexity and no user interaction. Successful exploitation allows the attacker to write arbitrary content to process-writable filesystem paths, potentially enabling integrity violations such as overwriting configuration files or injecting malicious data, alongside limited availability impact.

The vulnerability is fixed in Bugsink version 2.1.1. Additional details are available in the GitHub security advisory at https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g and the release notes at https://github.com/bugsink/bugsink/releases/tag/2.1.1.

EU & UK References

Vulnerability details

Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content…

more

to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Authenticated arbitrary file write directly enables ingress of attacker-controlled files (T1105) and deployment of web shells via server software component modification (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27614Same product: Bugsink Bugsink
CVE-2026-33588Shared CWE-20
CVE-2025-27224Shared CWE-20
CVE-2026-24936Shared CWE-20
CVE-2026-2750Shared CWE-20
CVE-2026-22862Shared CWE-20
CVE-2026-21268Shared CWE-20
CVE-2025-21234Shared CWE-20
CVE-2026-22868Shared CWE-20
CVE-2025-12907Shared CWE-20

Affected Assets

bugsink
bugsink
2.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation (CWE-20) in the artifact bundle assembly flow that allows attacker-controlled content to be written to process-writable filesystem paths.

prevent

Requires timely flaw remediation by patching Bugsink to version 2.1.1, eliminating the specific authenticated file write vulnerability.

prevent

Enforces least privilege on the Bugsink process to restrict writable filesystem locations, limiting the scope of potential arbitrary file writes.

References