CVE-2026-50882
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-50882
EUVD
EUVD-2026-36780
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anna-is-cute paste 0.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-50882 vulnerability affects the paste 0.1.1 application, specifically the /api/v0/pastes endpoint. It occurs because the application improperly handles compressed base64-encoded paste content during deserialization. Attackers can send a crafted POST request containing compressed (gzip or xz) base64-encoded content that decompresses into a much larger size than the original request. Since the JSON request-size limit only applies to the compressed payload and not the decompressed content, this allows attackers to bypass size restrictions.

When the server decompresses and expands this content before storing it, it can lead to excessive memory consumption or disk exhaustion. This improper size validation during deserialization enables attackers to cause a Denial of Service (DoS) by overwhelming server resources.

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) condition on the server running the paste 0.1.1 application. Attackers can exploit the flaw by sending small compressed requests that expand into very large files when decompressed, consuming excessive memory or disk space.

As a result, the server may become unresponsive or crash due to resource exhaustion, disrupting normal service availability and potentially affecting users who rely on the application.

Detection Guidance

This vulnerability can be detected by monitoring for unusual POST requests to the /api/v0/pastes endpoint that contain compressed (gzip or xz) base64-encoded content fields in JSON payloads.

Specifically, detection involves identifying small-sized JSON requests that decompress into significantly larger content, which may indicate attempts to exploit the decompression expansion flaw.

Network or system administrators can use tools like curl or tcpdump to capture and inspect POST requests to the vulnerable endpoint.

  • Use curl to send a test POST request with compressed base64-encoded content to observe server behavior.
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for POST requests to /api/v0/pastes.
  • Analyze server logs for repeated POST requests with small payloads that result in large disk writes or memory usage spikes.
Mitigation Strategies

Immediate mitigation steps include implementing strict size validation on the decompressed content before writing it to disk to prevent resource exhaustion.

Additionally, rate limiting POST requests to the /api/v0/pastes endpoint can reduce the risk of denial-of-service attacks by limiting repeated exploit attempts.

If possible, update or patch the anna-is-cute paste application to a version that addresses this vulnerability.

Monitoring resource usage and setting alerts for unusual memory or disk consumption can help detect ongoing exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50882. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart