What is the CVSS score of CVE-2026-40162?

CVE-2026-40162 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Bugsink are affected by CVE-2026-40162?

Bugsink 2.1.0 contains an authenticated arbitrary file write vulnerability that allows authorized users to corrupt or replace application files, potentially disrupting the error tracking platform and…. A patch is available.

How to fix or mitigate CVE-2026-40162?

Within 24 hours: Inventory all Bugsink deployments and confirm version 2.1.0 instances; restrict authentication token distribution and audit active tokens for unauthorized issuance. Within 7 days: Implement filesystem access controls and file integrity monitoring on Bugsink application directories; consider isolating Bugsink instances to sandboxed containers with minimal write permissions. Within 30 days: Contact Bugsink vendor for patch timeline; evaluate migration to patched version when released or transition to alternative error tracking solutions if patch is not forthcoming.

Bugsink CVE-2026-40162

EUVD-2026-21515 HIGH

Improper Input Validation (CWE-20)

2026-04-10 GitHub_M

GHSA-8hw4-fhww-273g

Information Disclosure Bugsink

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 18:00 euvd

EUVD-2026-21515

Analysis Generated

Apr 10, 2026 - 18:00 vuln.today

CVE Published

Apr 10, 2026 - 17:02 nvd

HIGH 7.1

DescriptionGitHub Advisory

Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1.

AnalysisAI

Authenticated arbitrary file write in Bugsink 2.1.0 allows remote attackers to write malicious content to filesystem locations accessible by the application process through exploitation of the artifact bundle assembly flow. Attackers holding valid authentication tokens can achieve high-integrity impact and partial availability disruption by manipulating file operations. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with valid token

Delivery

Upload malicious artifact bundle

Exploit

Trigger bundle assembly flow

Execution

Write attacker content to writable filesystem

Impact

Corrupt application state or inject malicious files