{"uuid": "be29ae35-0804-4d23-9019-8cc330211e12", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50883", "type": "seen", "source": "https://gist.github.com/pyuysig/eb74ae37c49d0383bedc08881c2493c4", "content": "# Vulnerability Report: CVE-2026-50883 - wastebin - Long-line highlight fallback HTML injection\n\n## Vulnerability Summary\nmatze wastebin 3.4.1 contains a cross-site scripting issue in the long-line syntax highlighting fallback. A remote attacker can create a paste containing a single line longer than 2048 bytes with crafted HTML markup, causing the paste page to render attacker-controlled HTML or script.\n\n## Affected Product\n- **Vendor**: matze\n- **Product**: wastebin\n- **Version**: 3.4.1\n- **Vulnerable Component**: crates/wastebin_highlight/src/highlight.rs long-line fallback, crates/wastebin_server/templates/formatted.html\n\n## Vulnerability Details\n- **Vulnerability Type**: Cross Site Scripting (XSS)\n- **Weakness**: CWE-79\n- **Attack Conditions**: Create a paste containing a single line longer than 2048 bytes with crafted HTML markup, then load or share the paste page.\n\n## Report Body\n\n### Summary\nmatze wastebin 3.4.1 contains a cross-site scripting issue in the long-line syntax highlighting fallback. A remote attacker can create a paste containing a single line longer than 2048 bytes with crafted HTML markup, causing the paste page to render attacker-controlled HTML or script.\n\n### Details\nThe long-line fallback path emits paste content without the same escaping or highlighting protections applied to normal lines.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50883.\n3. Confirm the security result: A crafted long single-line paste renders active HTML in the formatted paste view.\n\n### Impact\nExecution of attacker-controlled script or HTML in the browser of users viewing the affected paste.\n\n## Remediation\nHTML-escape all paste content in fallback paths and add tests for long-line rendering.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:53.000000Z"}