CVE-2026-47728 MEDIUM

CVE-2026-47728: Bugsink: Project scoping missing in sourcemap and debug-file lookup

Vendor Bugsink

Product bugsink

Weakness CWE-862 · Missing authorization

Published May 26, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.

Key dates

02Disclosure timeline

May 26, 2026 CVE published

May 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-47728 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2021-44794 Information Leakege via Unauthorized Access in Single Connect CVE-2023-4723 Elementor Addon Elements <= 1.12.7 - Missing Authorization to Sensitive Information Exposure CVE-2024-4355 Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection <= 10.23 - Missing Authorization to Information Expsoure CVE-2023-50898 WordPress Image Optimizer, Resizer and CDN – Sirv plugin <= 7.1.2 - Broken Access Control vulnerability CVE-2026-39657 WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability