CVE-2026-50883
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-50883
EUVD
EUVD-2026-36781
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
matze wastebin 3.4.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50883 is an HTML injection vulnerability found in matze wastebin version 3.4.1, specifically in the /src/highlight.rs component.

The issue arises because the syntax highlighter uses a fallback for lines longer than 2048 characters, returning the raw line content without escaping HTML metacharacters.

This means that attacker-controlled HTML tags can be injected into the rendered page as trusted HTML, allowing stored HTML injection on the formatted paste page.

While default content security policies may limit direct inline script execution, the vulnerability still allows raw HTML injection that can modify page content and user interactions depending on the browser and security settings.

Impact Analysis

This vulnerability can allow attackers to inject arbitrary HTML into the formatted paste page, potentially altering the page content and user interactions.

Although direct execution of inline scripts may be limited by content security policies, the injected HTML can still manipulate the page in ways that could mislead users or perform unwanted actions.

Such manipulation could lead to phishing attacks, UI redressing, or other malicious behaviors depending on the browser and security context.

Detection Guidance

This vulnerability can be detected by checking for the presence of unescaped HTML content in paste lines longer than 2048 characters in wastebin version 3.4.1. Specifically, you can create or monitor for pastes containing lines exceeding 2048 characters with embedded HTML tags such as <script>alert(1)</script> and verify if these are rendered as raw HTML rather than escaped text.

A practical detection method involves creating a test paste with a line longer than 2048 characters including HTML tags and observing the rendered output in the formatted paste page.

Commands to assist detection might include using curl or wget to fetch the formatted paste page and grep or similar tools to search for unescaped HTML tags in the response.

  • curl -s http://your-wastebin-instance/paste/ID | grep -oP '<script>alert\(1\)</script>'
  • Create a paste with a line over 2048 characters containing HTML tags and check if the output renders the tags as raw HTML.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of wastebin version 3.4.1 or disabling the syntax highlighting fallback that returns raw unescaped lines longer than 2048 characters.

If upgrading is possible, update to a version of wastebin where this vulnerability is fixed or apply patches that ensure all lines, regardless of length, are properly escaped before rendering.

Additionally, review and strengthen the Content Security Policy (CSP) to limit the impact of injected HTML, although this may not fully prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50883. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart