PT-2026-48927

A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The get versioned path method in kedro/io/core.py directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to...

Bugsink: Project scoping missing in sourcemap and debug-file lookup

Summary Bugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for...

EUVD-2026-31860

Bugsink: Project scoping missing in sourcemap and debug-file lookup...

GHSA-5389-F7VH-WXJ8 Bugsink: Project scoping missing in sourcemap and debug-file lookup

Summary Bugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for...

Missing Authorization

Overview bugsink is a Self-hosted Error Tracking Affected versions of this package are vulnerable to Missing Authorization in the lookup process for sourcemaps and debug files, which was not properly scoped to the owning project. An attacker can access source context or symbolication-derived...

EUVD-2026-31862

Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known...

Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known

Description Bugsink’s issue list supports bulk actions such as resolving or muting selected issues. In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to...

GHSA-G5VC-Q7QC-V939 Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known

Description Bugsink’s issue list supports bulk actions such as resolving or muting selected issues. In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to...

Bugsink: Issue event views can show an event from another project if its UUID is known

Description Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view anoth...

EUVD-2026-31861

Bugsink: Issue event views can show an event from another project if its UUID is known...

GHSA-VX2F-6M6H-9FRF Bugsink: Issue event views can show an event from another project if its UUID is known

Description Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view anoth...

CVE-2026-47716

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This...

CVE-2026-47728

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use...

CVE-2026-40896

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manageagendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...

CVE-2026-40904

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...

CVE-2026-40600

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affect...

CVE-2026-50266

In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set deviceowner to a value that has "network:" at the beginning "network:dhcp" for example. The default port RBAC policies incorrectly included PROJECTMANAGER without...

CVE-2026-47715

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a...

CVE-2026-47728

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use...

CVE-2026-47716

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This...