Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering

Summary An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. Details When Pygments returns more lines than it was given a known upstream quirk...

GHSA-VP6Q-7M36-PQ3W Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering

Summary An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. Details When Pygments returns more lines than it was given a known upstream quirk...

CVE-2026-27614

Bugsink (self-hosted error tracking) is affected by a Stored XSS in versions before 2.0.13. The root cause is how Pygments fallback in stacktrace rendering handles line mismatches: _pygmentize_lines() returns raw lines when line counts differ, and then mark_safe() is applied unconditionally to th...

CVE-2026-27614 Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. When Pygments...

CVE-2026-27614 Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. When Pygments...