Unauthenticated attackers can inject malicious scripts into Bugsink error logs, which execute when viewed by an administrator, potentially resulting in full administrative compromise.

The vulnerability is located in the _pygmentize_lines() function within theme/templatetags/issues.py. An unauthenticated attacker can submit a crafted event that triggers a raw input fallback, which is then passed to mark_safe() without sanitization, allowing for stored XSS.

A successful exploit allows an attacker to hijack administrative sessions, modify project settings, or access sensitive error data and source code snippets. The CVSS score of 9.3 reflects the critical nature of this vulnerability, as it requires no authentication to plant the payload and targets high-privilege users.

Immediate Action: Update Bugsink to version 2.0.13 immediately to ensure that all stacktrace outputs are properly sanitized before rendering.

Proactive Monitoring: Review web server and application logs for unusual DSN endpoint activity or suspicious JavaScript payloads within the event database.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter common XSS patterns and restrict access to the Bugsink web UI to known administrative IP ranges.

Public Exploit Available: No

The ability for unauthenticated external actors to target internal administrators via standard error reporting protocols is a significant risk. We strongly recommend immediate deployment of version 2.0.13 and a thorough audit of existing stored events for any suspicious scripts.