CVE-2026-50883
Description
CVE-2026-50883: Stored HTML injection in wastebin v3.4.1 via unescaped long-line syntax highlighting fallback, enabling potential cross-site scripting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-50883: Stored HTML injection in wastebin v3.4.1 via unescaped long-line syntax highlighting fallback, enabling potential cross-site scripting.
Vulnerability
wastebin v3.4.1 contains an HTML injection vulnerability in the /src/highlight.rs component. The syntax highlighter uses a fallback for paste lines longer than 2048 characters, returning line.to_string() without escaping HTML metacharacters. The formatted paste template renders the output as trusted HTML, allowing attacker-controlled content to be injected into the DOM. This affects all instances using the default syntax highlighting configuration [1].
Exploitation
An attacker can create a new paste via /new and include a line exceeding 2048 characters containing a malicious HTML tag (e.g., ``). When a victim views the formatted paste page, the injected HTML is rendered unescaped. The default Content Security Policy may restrict inline script execution, but the injection of arbitrary HTML is confirmed [1].
Impact
Successful exploitation results in stored HTML injection within the formatted paste output. The attacker can alter page content, inject phishing elements, or, depending on the browser and CSP configuration, execute arbitrary scripts. The injection is persistent until the paste is deleted [1].
Mitigation
As of the publication date, no patch has been released for wastebin v3.4.1. Users can mitigate the risk by disabling syntax highlighting or implementing a strict Content Security Policy that blocks inline scripts. No official workaround from the vendor is available [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML escaping in the syntax-highlighting fallback for long paste lines allows stored HTML injection."
Attack vector
An attacker creates a new paste through `/new` containing a single line longer than 2048 characters that includes raw HTML metacharacters (e.g., `<script>alert(1)</script>`). When a victim views the formatted paste page, the long-line fallback in the highlighter returns the attacker's input unescaped, and the template renders it as trusted HTML, injecting the payload into the DOM [ref_id=1]. The default Content Security Policy may limit direct inline script execution, but the confirmed boundary is stored raw HTML injection in the formatted paste page [ref_id=1].
Affected code
The vulnerability resides in `crates/wastebin_highlight/src/highlight.rs` of wastebin v3.4.1. The syntax-highlighting fallback for lines exceeding the configured threshold (2048 characters) returns `line.to_string()` without escaping, and the formatted paste template renders the produced HTML as trusted content [ref_id=1].
What the fix does
The advisory does not provide a published patch. The fix would require the long-line fallback in `highlight.rs` to escape HTML metacharacters (e.g., using `html_escape`) before returning the string, or to apply the same escaping logic used for short lines. Without escaping, attacker-controlled HTML metacharacters on lines longer than 2048 characters pass through to the rendered DOM as trusted content [ref_id=1].
Preconditions
- authThe attacker must be able to create a paste through the /new endpoint
- inputThe paste must contain at least one line exceeding 2048 characters
- networkA victim must view the formatted paste page
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.