CVE-2026-27614: Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering

February 25, 2026

An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI.

References

github.com/advisories/GHSA-vp6q-7m36-pq3w
github.com/bugsink/bugsink
github.com/bugsink/bugsink/commit/e784d6aeb0d5f29b40c2779d2544c2b9ef097ee9
github.com/bugsink/bugsink/releases/tag/2.0.13
github.com/bugsink/bugsink/security/advisories/GHSA-vp6q-7m36-pq3w
nvd.nist.gov/vuln/detail/CVE-2026-27614

Code Behaviors & Features

Detect and mitigate CVE-2026-27614 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →