How is CVE-2026-50883 exploited?

Network reachability (required): The vulnerable component is exposed over the network, meaning an attacker must be able to reach the service via standard network connectivity to deliver a crafted payload. Authentication (not-required): No credentials or account are needed; an unauthenticated attacker can submit a crafted payload directly to the affected endpoint. Victim interaction (required): A victim must interact with attacker-controlled content (for example, by opening or viewing a crafted paste link) for the injected script to execute in their browser session. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors beyond delivering the payload.

What is the impact of CVE-2026-50883?

Reads session tokens, cookies, and any sensitive data accessible in the victim's browser context for the affected origin. Modifies page content rendered to the victim, enabling credential harvesting or redirection to attacker-controlled resources. Executes arbitrary scripts within the victim's authenticated session, allowing actions to be performed on the victim's behalf. Disrupts the victim's use of the affected service by injecting content that breaks normal page rendering or functionality.

Back to search

CRITICALCVE-2026-50883Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50883: An HTML injection vulnerability in the /src/highlight

An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to inject and execute arbitrary scripts in the context of a victim's browser session. The flaw is reachable over the network, requires no authentication, and is triggered when a victim interacts with attacker-controlled content (a classic cross-site scripting delivery path). Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected scope, including data exposure, content tampering, and service disruption. HarborGuard is tracking this advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-50883 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected versions of matze wastebin. Coverage applies regardless of whether the image was pulled from a public registry or built internally.

Available

Triage

HarborGuard scores this finding at CVSS 9.6 (Critical, v3.1) and is capable of weighting that score against each customer environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer org based on configured policy rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network, meaning an attacker must be able to reach the service via standard network connectivity to deliver a crafted payload.
AuthenticationNot required
No credentials or account are needed; an unauthenticated attacker can submit a crafted payload directly to the affected endpoint.
Victim interactionRequired
A victim must interact with attacker-controlled content (for example, by opening or viewing a crafted paste link) for the injected script to execute in their browser session.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors beyond delivering the payload.

Blast Radius

Reads session tokens, cookies, and any sensitive data accessible in the victim's browser context for the affected origin.
Modifies page content rendered to the victim, enabling credential harvesting or redirection to attacker-controlled resources.
Executes arbitrary scripts within the victim's authenticated session, allowing actions to be performed on the victim's behalf.
Disrupts the victim's use of the affected service by injecting content that breaks normal page rendering or functionality.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-50883 has been published, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically as soon as the upstream maintainer ships a fix. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict which clients can reach the matze wastebin service, egress filtering to limit what attacker-injected scripts can reach, and feature-flag gating to disable the affected highlight endpoint if the deployment permits it. For customers with auto-remediation enabled, the moment a fix version is published the rebuild, regression test run, and PR against affected workloads will be initiated without manual steps. Given the Critical (9.6) CVSS score and the no-authentication, network-reachable attack surface, treating this as high priority for compensating controls is warranted while waiting for an upstream patch.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

gist.github.com

Metrics

Get notified