Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Anonymous paste creation gives PR:N and AC:L over the network; victim must view the paste (UI:R); stored XSS changes scope to the browser (S:C) with limited C/I and no availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.
AnalysisAI
Stored HTML/script injection in matze wastebin v3.4.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in the browser of any user who views a crafted paste, by abusing improper output encoding in the /src/highlight.rs syntax-highlighting component. A public gist appears to demonstrate the issue, but no public exploit identified at time of analysis as weaponized tooling, and EPSS exploitation probability is low at 0.18% (8th percentile).
Technical ContextAI
Wastebin is a self-hosted Rust-based pastebin service maintained by upstream developer 'matze'. The vulnerable code path is the highlight.rs module, which is responsible for rendering user-submitted snippets with syntax highlighting before emitting them as HTML. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the highlighter is failing to encode or sanitize user-controlled tokens before they are interpolated into the HTML response, so an attacker-controlled paste body is rendered as live markup rather than inert text. Because pastes are served back to any visitor of the paste URL, the flaw behaves as a stored cross-site scripting issue executing in the wastebin origin.
RemediationAI
No vendor-released patch identified at time of analysis - operators should monitor the upstream wastebin GitHub repository for a release newer than 3.4.1 that addresses the highlight.rs encoding issue and upgrade as soon as a fixed tag is published; the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-50883 should be checked for an updated patch reference. As compensating controls until a fix is available, deploy a strict Content-Security-Policy response header on the wastebin host that disallows inline scripts (e.g., script-src 'self' without 'unsafe-inline'), which neutralizes injected <script> blocks at the cost of breaking any legitimate inline scripting in custom themes; restrict paste creation to authenticated or IP-allowlisted users via a reverse proxy to remove the unauthenticated attack surface, accepting the loss of anonymous public-paste functionality; and disable or replace the syntax-highlighting feature on the instance if the deployment can tolerate plain-text rendering, which eliminates the vulnerable code path entirely.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36781
GHSA-ch49-46cv-33f2