HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50882Published Modified CNA mitre

CVE-2026-50882: An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0

An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1. The endpoint is reachable over the network and requires no authentication, meaning any unauthenticated attacker with network access can trigger it by sending a crafted POST request. Successful exploitation crashes or hangs the affected service, making it unavailable to legitimate users. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-50882 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy, then routing the finding to the appropriate team inbox within the customer organization.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a fix. In the interim, the finding remains open and visible in each affected environment's vulnerability queue.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the host running anna-is-cute paste.

  • AuthenticationNot required

    No credentials or session token are needed; the /api/v0/pastes endpoint accepts unauthenticated POST requests.

  • Victim interactionNot required

    The attacker sends a crafted request directly to the service; no user action or social engineering is involved.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

Blast Radius

  • The targeted service becomes unavailable, denying access to all users for the duration of the attack.
  • Availability of stored pastes and any dependent integrations is disrupted until the service is restarted or the attack stops.
  • No confidentiality or integrity impact is indicated; data is not read or modified by this exploit.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50882, HarborGuard keeps the advisory under continuous monitoring and will trigger a patched-image rebuild automatically once the maintainer publishes a fix version. Until then, customers can use HarborGuard network-policy recommendations to restrict inbound access to the /api/v0/pastes endpoint to trusted sources only, reducing exposure without requiring a code change. Egress filtering and rate-limiting rules can be applied as compensating controls through HarborGuard's policy engine. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention the moment a fix version is detected in the upstream feed.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References