CVE-2026-44502— Bugsink: SSRF bypass in `validate_webhook_url`
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44502
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Bugsink: SSRF bypass in `validate_webhook_url`
Source: NVD (National Vulnerability Database)
Vulnerability Description
Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Bugsink 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Bugsink是Bugsink开源的一个自托管Bug跟踪软件。 Bugsink 2.1.3之前版本存在代码问题漏洞,该漏洞源于URL解析不匹配导致Webhook URL验证可被部分绕过,可能使攻击者绕过验证并连接到不同主机。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44502
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44502
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-44502 (1)
Vendor Advisories for CVE-2026-44502 (2)
Same Patch Batch · bugsink · 2026-05-26 · 4 CVEs total
| CVE-2026-47728 | 4.3 MEDIUM | Bugsink: Project scoping missing in sourcemap and debug-file lookup |
| CVE-2026-47715 | 3.1 LOW | Bugsink: Issue event views can show an event from another project if its UUID is known |
| CVE-2026-47716 | 3.1 LOW | Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known |
IV. Related Vulnerabilities
Same product: bugsink
- CVE-2026-47716
Bugsink: Issue bulk actions can affect another project’s iss - CVE-2026-47715
Bugsink: Issue event views can show an event from another pr - CVE-2026-47728
Bugsink: Project scoping missing in sourcemap and debug-file - CVE-2026-40162
Bugsink affected by authenticated arbitrary file write in ar - CVE-2026-27614
Bugsink is vulnerable to Stored XSS via Pygments fallback in
Same vendor: bugsink
- CVE-2026-47716
Bugsink: Issue bulk actions can affect another project’s iss - CVE-2026-47715
Bugsink: Issue event views can show an event from another pr - CVE-2026-47728
Bugsink: Project scoping missing in sourcemap and debug-file - CVE-2026-40162
Bugsink affected by authenticated arbitrary file write in ar - CVE-2026-27614
Bugsink is vulnerable to Stored XSS via Pygments fallback in
Same weakness: CWE-918
- CVE-2026-9813
FlowIntel external reference URL probe allows server-side re - CVE-2026-5737
Independent Analytics <= 2.14.9 - Unauthenticated Server-Sid - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I
V. Comments for CVE-2026-44502
No comments yet