{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40162", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.014Z", "datePublished": "2026-04-10T17:02:58.985Z", "dateUpdated": "2026-04-10T18:30:44.339Z"}, "containers": {"cna": {"title": "Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g"}, {"name": "https://github.com/bugsink/bugsink/releases/tag/2.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/bugsink/bugsink/releases/tag/2.1.1"}], "affected": [{"vendor": "bugsink", "product": "bugsink", "versions": [{"version": ">= 2.1.0, < 2.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:02:58.985Z"}, "descriptions": [{"lang": "en", "value": "Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1."}], "source": {"advisory": "GHSA-8hw4-fhww-273g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:30:36.608268Z", "id": "CVE-2026-40162", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:30:44.339Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40162", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:30:36.608268Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:30:40.731Z"}}], "cna": {"title": "Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble", "source": {"advisory": "GHSA-8hw4-fhww-273g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "bugsink", "product": "bugsink", "versions": [{"status": "affected", "version": ">= 2.1.0, < 2.1.1"}]}], "references": [{"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g", "name": "https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bugsink/bugsink/releases/tag/2.1.1", "name": "https://github.com/bugsink/bugsink/releases/tag/2.1.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:02:58.985Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40162", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:30:44.339Z", "dateReserved": "2026-04-09T19:31:56.014Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T17:02:58.985Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bugsink:bugsink:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C825F884-2C32-4580-9A0F-21BCE3752643", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1."}], "id": "CVE-2026-40162", "lastModified": "2026-04-15T19:05:54.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T18:16:46.083", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bugsink/bugsink/releases/tag/2.1.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "bugsink", "source": "cna", "vendor": "bugsink"}, "product": "bugsink", "vendor": "bugsink"}], "analysis": {"en": {"generated_at": "2026-04-10T18:21:08.563119+00:00", "value": {"mitigation_remediation": ["Upgrade Bugsink to version 2.1.1 or newer to apply the vendor fix.", "Restrict the use of authentication tokens to the minimum set of permissions required for users.", "Verify file system permissions to ensure the Bugsink process can only write to intended directories."], "summary": {"action": "Apply patch", "impact": "Arbitrary file write"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Bugsink version 2.1.0. All deployments running this version are at risk. The issue was fixed in Bugsink 2.1.1, so upgrades to that version or later eliminate the flaw.", "description_and_impact": "Bugsink, a self-hosted error tracking tool, contains an issue in the artifact bundle assembly process that allows an authenticated attacker to write arbitrary content to any file system location that the Bugsink process can write to. This flaw is due to insufficient validation of user input (CWE\u201120). Consequently, a malicious user with a valid authentication token could overwrite configuration files, deploy malicious scripts, or otherwise alter the system, potentially compromising confidentiality, integrity, or availability.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high\u2011severity risk. Because the flaw requires authentication, the attack vector is confined to legitimate users or compromised accounts; nevertheless, any token holder can exploit the vulnerability. EPSS data is unavailable, so the exploitation likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Organizations should treat this as a high\u2011risk flaw capable of enabling significant system damage if not remedied promptly."}}}}, "created": "2026-04-13T12:43:45.340931+00:00", "updated": "2026-04-13T13:00:08.809278+00:00", "vendors": ["bugsink", "bugsink$PRODUCT$bugsink"]}