CVE-2026-50883
Deferred Deferred - Pending Action

HTML Injection in Wastebin v3.4.1

Vulnerability report for CVE-2026-50883, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
matze wastebin 3.4.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50883 is an HTML injection vulnerability found in matze wastebin version 3.4.1, specifically in the /src/highlight.rs component.

The issue arises because the syntax highlighter uses a fallback for lines longer than 2048 characters, returning the raw line content without escaping HTML metacharacters.

This means that attacker-controlled HTML tags can be injected into the rendered page as trusted HTML, allowing stored HTML injection on the formatted paste page.

While default content security policies may limit direct inline script execution, the vulnerability still allows raw HTML injection that can modify page content and user interactions depending on the browser and security settings.

Impact Analysis

This vulnerability can allow attackers to inject arbitrary HTML into the formatted paste page, potentially altering the page content and user interactions.

Although direct execution of inline scripts may be limited by content security policies, the injected HTML can still manipulate the page in ways that could mislead users or perform unwanted actions.

Such manipulation could lead to phishing attacks, UI redressing, or other malicious behaviors depending on the browser and security context.

Detection Guidance

This vulnerability can be detected by checking for the presence of unescaped HTML content in paste lines longer than 2048 characters in wastebin version 3.4.1. Specifically, you can create or monitor for pastes containing lines exceeding 2048 characters with embedded HTML tags such as <script>alert(1)</script> and verify if these are rendered as raw HTML rather than escaped text.

A practical detection method involves creating a test paste with a line longer than 2048 characters including HTML tags and observing the rendered output in the formatted paste page.

Commands to assist detection might include using curl or wget to fetch the formatted paste page and grep or similar tools to search for unescaped HTML tags in the response.

  • curl -s http://your-wastebin-instance/paste/ID | grep -oP '<script>alert\(1\)</script>'
  • Create a paste with a line over 2048 characters containing HTML tags and check if the output renders the tags as raw HTML.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of wastebin version 3.4.1 or disabling the syntax highlighting fallback that returns raw unescaped lines longer than 2048 characters.

If upgrading is possible, update to a version of wastebin where this vulnerability is fixed or apply patches that ensure all lines, regardless of length, are properly escaped before rendering.

Additionally, review and strengthen the Content Security Policy (CSP) to limit the impact of injected HTML, although this may not fully prevent exploitation.

Compliance Impact

The vulnerability allows stored HTML injection via unescaped long lines in the wastebin application, which can lead to arbitrary script execution or manipulation of page content.

Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or exposure of sensitive personal or health information through cross-site scripting (XSS) attacks.

Specifically, if an attacker exploits this vulnerability to execute scripts that steal user data or session tokens, it could result in a breach of confidentiality and integrity requirements mandated by these regulations.

However, the exact impact depends on the deployment context and whether sensitive data is handled or exposed via the vulnerable component.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50883. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart