CVE-2026-44502 MEDIUM

CVE-2026-44502: Bugsink: SSRF bypass in `validate_webhook_url`

Vendor Bugsink
Product bugsink
Weakness CWE-918 · SSRF
Published May 26, 2026
Last update May 27, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-2558 GeekAI net_handler.go Download server-side request forgery CVE-2022-35949 `undici.request` vulnerable to SSRF using absolute URL on `pathname` CVE-2026-6625 moxi624 Mogu Blog v2 Picture Storage Service LocalFileServiceImpl.java LocalFileServiceImpl.uploadPictureByUrl server-side request forgery CVE-2025-10056 Task Scheduler <= 1.6.3 - Authenticated (Admin+) Blind Server-Side Request Forgery CVE-2026-42339 New API: SSRF Filter Bypass via 0.0.0.0