Bugsink: Project scoping missing in sourcemap and debug-file lookup

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.

Basic Information

ID CVE-2026-47728

Source GitHub_M

Published May 26, 2026 at 16:16

Modified May 26, 2026 at 17:31

Affected Product

Vendor bugsink

Product bugsink

Version < 2.2.0

Affected Versions bugsink bugsink < 2.2.0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.",
    "published": "2026-05-26T16:16:10.858Z",
    "modified": "2026-05-26T17:31:41.956Z",
    "type": "cve",
    "title": "Bugsink: Project scoping missing in sourcemap and debug-file lookup",
    "source": "GitHub_M",
    "references": "https://github.com/bugsink/bugsink/security/advisories/GHSA-5389-f7vh-wxj8\nhttps://github.com/bugsink/bugsink/releases/tag/2.2.0",
    "id": "CVE-2026-47728",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "bugsink bugsink < 2.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "bugsink",
    "version": "< 2.2.0",
    "vendor": "bugsink",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Bugsink: Project scoping missing in sourcemap and debug-file lookup_CVE-2026-47728