CVE-2026-47728: Bugsink: Project scoping missing in sourcemap and debug-file lookup

June 5, 2026

Bugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced.

References

github.com/advisories/GHSA-5389-f7vh-wxj8
github.com/bugsink/bugsink/releases/tag/2.2.0
github.com/bugsink/bugsink/security/advisories/GHSA-5389-f7vh-wxj8
nvd.nist.gov/vuln/detail/CVE-2026-47728

Code Behaviors & Features

Detect and mitigate CVE-2026-47728 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →