CVE-2026-27614 - Bugsink - Stored XSS

Overview

Bugsink < 2.0.13 contains a stored XSS caused by unsanitized JavaScript in event stacktrace rendering, letting unauthenticated attackers execute scripts in admin browsers, exploit requires event submission and admin viewing.

Severity & Score

Severity: Critical

CVSS Score: 9.3

EPSS Score: 8.8%(Probability of exploitation in next 30 days)

Impact

Attackers can execute JavaScript in admin browsers, potentially leading to full admin privilege compromise within Bugsink.

Mitigation

Update to version 2.0.13 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Feb 25, 2026

🔴 CVE-2026-27614 - Critical (9.3) Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27614/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Feb 25, 2026

🔴 CVE-2026-27614 - Critical (9.3) Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27614/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-27614 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score