Skip to content

Commit abae2f2

Browse files
1 parent ec31a10 commit abae2f2

6 files changed

Lines changed: 388 additions & 0 deletions

File tree

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2g2g-8p8h-fgwm",
4+
"modified": "2026-06-05T21:47:33Z",
5+
"published": "2026-06-05T21:46:26Z",
6+
"aliases": [
7+
"CVE-2026-47730"
8+
],
9+
"summary": "Twig: XSS in profiler HtmlDumper via unescaped template and profile names",
10+
"details": "### Description\n\n`Twig\\Profiler\\Dumper\\HtmlDumper` writes `Profile::getTemplate()` and `Profile::getName()` straight into its HTML output without escaping:\n\n```php\nprotected function formatTemplate(Profile $profile, $prefix): string\n{\n return \\sprintf('%s└ <span style=\"background-color: %s\">%s</span>', $prefix, self::$colors['template'], $profile->getTemplate());\n}\n```\n\nThe template name comes from the loader (the array key for `ArrayLoader`, a row id for a database-backed loader, etc.). When that name is attacker-controlled, the profiler dump emits arbitrary HTML, and any browser that renders it executes the injected markup. This is an output-encoding bug in profiler/debug tooling, not a sandbox escape.\n\n### Resolution\n\n`HtmlDumper` now runs both `Profile::getTemplate()` and `Profile::getName()` through `htmlspecialchars()` before inserting them into the HTML output.\n\n### Credits\n\nTwig would like to thank El Kharoubi Iosif for reporting the issue and Nicolas Grekas for fixing it.",
11+
"severity": [],
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "twig/twig"
17+
},
18+
"ranges": [
19+
{
20+
"type": "ECOSYSTEM",
21+
"events": [
22+
{
23+
"introduced": "3.0.0"
24+
},
25+
{
26+
"fixed": "3.26.0"
27+
}
28+
]
29+
}
30+
]
31+
}
32+
],
33+
"references": [
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-2g2g-8p8h-fgwm"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-47730.yaml"
41+
},
42+
{
43+
"type": "PACKAGE",
44+
"url": "https://github.com/twigphp/Twig"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://symfony.com/cve-2026-47730"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-79"
58+
],
59+
"severity": "LOW",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-06-05T21:46:26Z",
62+
"nvd_published_at": null
63+
}
64+
}
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5389-f7vh-wxj8",
4+
"modified": "2026-06-05T21:44:33Z",
5+
"published": "2026-06-05T21:44:33Z",
6+
"aliases": [
7+
"CVE-2026-47728"
8+
],
9+
"summary": "Bugsink: Project scoping missing in sourcemap and debug-file lookup",
10+
"details": "### Summary\n\nBugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced.\n\n### Impact\n\nThis could disclose source context or symbolication-derived context from another project on the same Bugsink instance.\n\nFor sourcemaps, the documented upload flow used `sentry-cli sourcemaps upload` with `--project=ignoredfornow`. In other words, Bugsink did not historically treat the project value supplied during sourcemap upload as meaningful project ownership. This was documented, but at the same time the `sentry-cli`, which requires project as a parameter, was the recommended mechanism for uploads. This could reasonably lead people to expect that sourcemaps uploads would respect the provided project-boundary.\n\nFor minidumps/debug files specifically, the affected functionality also required `FEATURE_MINIDUMPS` to be enabled. That feature was marked experimental.\n\nThe practical impact is further limited by Bugsink’s deployment model: self-hosted instances are commonly operated within a single organization/trust domain, and Hosted Bugsink uses separate Bugsink instances per tenant. The issue does not cross Hosted Bugsink tenant boundaries.\n\n### Affected Versions\n2.1.3 and earlier are affected.\n\n### Patched Versions\n2.2.0 fixes this issue.\n\n### Post-Upgrade Notes\n\nAfter upgrading, upload sourcemaps/debug files with project information.\n\nTo remove legacy projectless sourcemap metadata immediately, run, after upgrading:\n\n```\nbugsink-manage delete_legacy_sourcemaps\n```",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "bugsink"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.2.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-5389-f7vh-wxj8"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47728"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/bugsink/bugsink"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-862"
59+
],
60+
"severity": "MODERATE",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-06-05T21:44:33Z",
63+
"nvd_published_at": "2026-05-26T17:16:53Z"
64+
}
65+
}
Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5x67-j5xg-c5gj",
4+
"modified": "2026-06-05T21:45:40Z",
5+
"published": "2026-06-05T21:45:40Z",
6+
"aliases": [],
7+
"summary": "Bugsink: DOS using large numbers of event tags",
8+
"details": "### Summary\n\nIn affected versions, Bugsink stores every tag supplied with an incoming event. An event with an unusually large number\nof custom (i.e. supplied by an attacker) tags can therefore make ingestion spend more time than intended writing tag rows.\n\nBugsink uses a single-writer database architecture. That keeps the implementation simple, but it also means one\nexpensive write transaction can delay other event digestion while it is running. In this case, it makes ingestion of\nother events wait until the transaction that writes the tags finishes, which effectively causes a temporary denial of\nservice for other events.\n\n### Impact\n\nSubmitting such an event requires a valid project DSN. DSNs are sometimes visible in client-side applications, so they\nshould not be treated as a strong security boundary, but the issue is still limited to ingestion for a Bugsink instance\nthat accepts the event.\n\nThe impact is availability-only. The issue does not expose stored data, modify existing events, or allow code execution.\n\n### Mitigation\n\nUpdate to version 2.2.2, which caps the number of tags stored for a single event. The default cap is 100 tags and can\nbe changed with `MAX_EVENT_TAGS`.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "PyPI",
19+
"name": "bugsink"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "2.2.2"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 2.2.1"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-5x67-j5xg-c5gj"
43+
},
44+
{
45+
"type": "PACKAGE",
46+
"url": "https://github.com/bugsink/bugsink"
47+
},
48+
{
49+
"type": "WEB",
50+
"url": "https://github.com/bugsink/bugsink/releases/tag/2.2.2"
51+
}
52+
],
53+
"database_specific": {
54+
"cwe_ids": [
55+
"CWE-400"
56+
],
57+
"severity": "MODERATE",
58+
"github_reviewed": true,
59+
"github_reviewed_at": "2026-06-05T21:45:40Z",
60+
"nvd_published_at": null
61+
}
62+
}
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-g5vc-q7qc-v939",
4+
"modified": "2026-06-05T21:43:56Z",
5+
"published": "2026-06-05T21:43:56Z",
6+
"aliases": [
7+
"CVE-2026-47716"
8+
],
9+
"summary": "Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known",
10+
"details": "### Description\nBugsink’s issue list supports bulk actions such as resolving or muting selected issues. In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project.\n\nThis is a project-boundary authorization issue: a logged-in user with access to one project can change the state of an issue in another project. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target issue UUID; there is no issue enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access.\n\nThis has been fixed by requiring bulk issue actions to operate only on issues belonging to the authorized project.\n\n### Impact\n\nLow-severity cross-project issue state modification, requiring authentication and prior knowledge of a valid issue UUID.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "bugsink"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.2.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-g5vc-q7qc-v939"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47716"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/bugsink/bugsink"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-639"
59+
],
60+
"severity": "LOW",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-06-05T21:43:56Z",
63+
"nvd_published_at": "2026-05-26T17:16:52Z"
64+
}
65+
}
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-pr2w-4gpj-cpq4",
4+
"modified": "2026-06-05T21:47:11Z",
5+
"published": "2026-06-05T21:47:11Z",
6+
"aliases": [
7+
"CVE-2026-47732"
8+
],
9+
"summary": "Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points",
10+
"details": "### Description\n\n`SandboxNodeVisitor` enforces `SecurityPolicy::checkMethodAllowed()` for implicit `__toString()` calls by wrapping selected AST nodes in `CheckToStringNode`. The set of wrapped nodes is incomplete, and several Twig language constructs still trigger PHP string coercion on a `Stringable` operand without first consulting the policy. A sandboxed template author can therefore invoke `__toString()` on any object reachable in the render context, even when `__toString` on its class is not allowlisted.\n\nConfirmed bypass vectors:\n\n- Conditional expressions (`a ? b : c`, `a ?: b`, `a ?? b`) used as the input of a string-coercing filter or as a filter/function argument.\n- The `matches` operator and the loose comparison operators (`==`, `!=`, `<`, `>`, `<=`, `>=`, `<=>`), which coerce a `Stringable` operand to string and can be used as an oracle to recover the value byte by byte (no tag, filter or function needs to be allowlisted).\n- Twig tests in general (which were never policy-gated), in particular `is empty` which casts a `Stringable` value via `(string) $value` in `CoreExtension::testEmpty()`.\n- Null-coalesce expressions nested in concatenation, and the direct output of allowed functions or filters that return a `Stringable` object.\n- Arguments passed to allowed object methods, template-name expressions of template-loading tags (`include`, `extends`, `use`, ...), dynamic attribute/property names, and spread arguments from `Traversable` objects.\n- The `do` tag and the `..` range operator.\n\n### Resolution\n\nThe sandbox now wraps every child node that the parent will string-coerce at runtime, instead of relying on a hardcoded list of node types in `SandboxNodeVisitor`. A new `Twig\\Node\\CoercesChildrenToStringInterface` lets nodes declare which of their children must be guarded; core nodes (concatenation, comparison and range binaries, filter/function/test expressions, `do`, `include`, `extends`, `use`, ...) implement it. Spread arguments are materialised and policy-checked via the new `SandboxExtension::ensureSpreadAllowed()`, and dynamic attribute names are checked at runtime inside `CoreExtension::getAttribute()`.\n\n### Credits\n\nTwig would like to thank Anthropic Glasswing and El Kharoubi Iosif for reporting the issues, and Fabien Potencier for providing the fixes.",
11+
"severity": [],
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "twig/twig"
17+
},
18+
"ranges": [
19+
{
20+
"type": "ECOSYSTEM",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "3.26.0"
27+
}
28+
]
29+
}
30+
],
31+
"database_specific": {
32+
"last_known_affected_version_range": "<= 3.25.0"
33+
}
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-pr2w-4gpj-cpq4"
40+
},
41+
{
42+
"type": "WEB",
43+
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-47732.yaml"
44+
},
45+
{
46+
"type": "PACKAGE",
47+
"url": "https://github.com/twigphp/Twig"
48+
},
49+
{
50+
"type": "WEB",
51+
"url": "https://github.com/twigphp/Twig/releases/tag/v3.26.0"
52+
},
53+
{
54+
"type": "WEB",
55+
"url": "https://symfony.com/cve-2026-47732"
56+
}
57+
],
58+
"database_specific": {
59+
"cwe_ids": [
60+
"CWE-20"
61+
],
62+
"severity": "HIGH",
63+
"github_reviewed": true,
64+
"github_reviewed_at": "2026-06-05T21:47:11Z",
65+
"nvd_published_at": null
66+
}
67+
}
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-vx2f-6m6h-9frf",
4+
"modified": "2026-06-05T21:43:23Z",
5+
"published": "2026-06-05T21:43:23Z",
6+
"aliases": [
7+
"CVE-2026-47715"
8+
],
9+
"summary": "Bugsink: Issue event views can show an event from another project if its UUID is known",
10+
"details": "### Description\n\nBugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL.\n\nThis is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target event UUID; there is no event enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access.\n\nThe affected views include the stacktrace, details, and breadcrumbs pages for an issue event.\n\nThis has been fixed by requiring direct event lookups to match both the authorized issue and the project.\n\n### Impact\nLow-severity cross-project event data exposure, requiring authentication and prior knowledge of a valid event UUID.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "bugsink"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.2.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-vx2f-6m6h-9frf"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47715"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/bugsink/bugsink"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-639"
59+
],
60+
"severity": "LOW",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-06-05T21:43:23Z",
63+
"nvd_published_at": "2026-05-26T17:16:52Z"
64+
}
65+
}

0 commit comments

Comments
 (0)