These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
Bugsink, a self-hosted error tracking tool, contained a cross-project sourcemap and debug file lookup vulnerability prior to version 2.2.0. The issue stemmed from insufficient scoping when resolving debug IDs: an authenticated user with access to one project could cause event processing to use sourcemap or debug-file metadata uploaded for a different project within the same Bugsink instance, provided both [truncated]
A broken access control vulnerability in Bugsink's issue list view allows authenticated users with low privileges to perform unauthorized bulk actions on issues outside their authorized project scope. The application validates project-level access based on the URL parameter but fails to verify that submitted issue IDs belong to that same project before executing bulk operations. This authorization gap per [truncated]
CVE-2026-47715 is a project-boundary authorization bypass in Bugsink, a self-hosted error tracking tool. Prior to version 2.2.0, the application failed to validate that an event identifier provided in the URL belonged to the issue specified in the same URL. This allowed authenticated users with access to one project to view event data—including stacktraces, details, and breadcrumbs—from other projects by [truncated]
A URL parsing mismatch in Bugsink's webhook validation allows partial bypass of allowlist restrictions. The vulnerability stems from disagreement between Python's urllib.parse.urlparse (used for validation) and the requests library (used for HTTP transmission) when handling malformed URLs containing backslashes and @ characters. An attacker with authenticated access could craft a webhook URL that appears [truncated]