PYSEC-2026-1227

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/bugsink/PYSEC-2026-1227.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1227
Aliases
Published
2026-07-07T16:03:10.164693Z
Modified
2026-07-07T17:47:33.578412163Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)
Details

Impact

In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service.

This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps).

Patches

Patched in Bugsink 2.0.6

References

The vulnerability in this security advisory is similar to, but distinct from, another brotli-related problem in Bugsink:

https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v

References

Affected packages

PyPI / bugsink

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.6

Affected versions

0.*
0.0.1
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
2.*
2.0.0a1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/bugsink/PYSEC-2026-1227.yaml"