{"vulnerability": "cve-2026-5088", "sightings": [{"uuid": "c87f5310-eaef-4c30-9cf6-3f3f99b20cf3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50889", "type": "seen", "source": "https://gist.github.com/pyuysig/41937c47514ff63d66a3be98ab8e8a7d", "content": "", "creation_timestamp": "2026-06-13T12:46:02.000000Z"}, {"uuid": "dffd10ac-0bee-483d-8a3b-969f7a02a658", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5088", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjjgw5ubnq2z", "content": "", "creation_timestamp": "2026-04-15T08:08:24.370634Z"}, {"uuid": "dca69744-a965-48fc-91f9-89a61bb7c240", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5088", "type": "seen", "source": "Telegram/xaMuklUmIhmgdshubo3uV9apJJHbiRRivMdJ18LxU3A0Q4Q", "content": "", "creation_timestamp": "2026-04-16T15:19:33.000000Z"}, {"uuid": "8a72f774-c36c-4999-9305-b734935e445f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50884", "type": "seen", "source": "https://gist.github.com/pyuysig/72acb62a9973fa394581f662c0f12704", "content": "# Vulnerability Report: CVE-2026-50884 - statping-ng - Non-admin API key accepted for administrator API endpoints\n\n## Vulnerability Summary\nstatping-ng 0.93.0 contains an incorrect access control issue in API key authentication. A remote attacker with a valid non-admin user API key can pass the key in the api query parameter to admin-only /api/* endpoints, leading to unauthorized administrator-level access.\n\n## Affected Product\n- **Vendor**: statping-ng Project\n- **Product**: statping-ng\n- **Version**: 0.93.0\n- **Vulnerable Component**: handlers/authentication.go hasAPIQuery(), handlers/handlers.go IsFullAuthenticated(), admin-only routes protected by authenticated(...), including /api/users\n\n## Vulnerability Details\n- **Vulnerability Type**: Incorrect Access Control\n- **Weakness**: CWE-863\n- **Attack Conditions**: Remote request with a valid non-admin user API key in the api query parameter to an admin-only /api/* endpoint.\n\n## Report Body\n\n### Summary\nstatping-ng 0.93.0 contains an incorrect access control issue in API key authentication. A remote attacker with a valid non-admin user API key can pass the key in the api query parameter to admin-only /api/* endpoints, leading to unauthorized administrator-level access.\n\n### Details\nThe authentication helper treats presence of a valid API key as full authentication for routes that require administrator-level access, without enforcing the caller role.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50884.\n3. Confirm the security result: A non-admin user API key can access admin-only API endpoints such as /api/users.\n\n### Impact\nPrivilege escalation from non-admin API key access to administrator API operations.\n\n## Remediation\nSeparate authentication from authorization and require administrator role checks for admin API endpoints even when API-key authentication succeeds.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:55.000000Z"}, {"uuid": "be29ae35-0804-4d23-9019-8cc330211e12", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50883", "type": "seen", "source": "https://gist.github.com/pyuysig/eb74ae37c49d0383bedc08881c2493c4", "content": "# Vulnerability Report: CVE-2026-50883 - wastebin - Long-line highlight fallback HTML injection\n\n## Vulnerability Summary\nmatze wastebin 3.4.1 contains a cross-site scripting issue in the long-line syntax highlighting fallback. A remote attacker can create a paste containing a single line longer than 2048 bytes with crafted HTML markup, causing the paste page to render attacker-controlled HTML or script.\n\n## Affected Product\n- **Vendor**: matze\n- **Product**: wastebin\n- **Version**: 3.4.1\n- **Vulnerable Component**: crates/wastebin_highlight/src/highlight.rs long-line fallback, crates/wastebin_server/templates/formatted.html\n\n## Vulnerability Details\n- **Vulnerability Type**: Cross Site Scripting (XSS)\n- **Weakness**: CWE-79\n- **Attack Conditions**: Create a paste containing a single line longer than 2048 bytes with crafted HTML markup, then load or share the paste page.\n\n## Report Body\n\n### Summary\nmatze wastebin 3.4.1 contains a cross-site scripting issue in the long-line syntax highlighting fallback. A remote attacker can create a paste containing a single line longer than 2048 bytes with crafted HTML markup, causing the paste page to render attacker-controlled HTML or script.\n\n### Details\nThe long-line fallback path emits paste content without the same escaping or highlighting protections applied to normal lines.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50883.\n3. Confirm the security result: A crafted long single-line paste renders active HTML in the formatted paste view.\n\n### Impact\nExecution of attacker-controlled script or HTML in the browser of users viewing the affected paste.\n\n## Remediation\nHTML-escape all paste content in fallback paths and add tests for long-line rendering.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:53.000000Z"}, {"uuid": "10cfba3f-effe-48be-85ca-0a027b03b6ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50888", "type": "seen", "source": "https://gist.github.com/pyuysig/d60273c1c346257ceddbf8da7134bae7", "content": "", "creation_timestamp": "2026-06-13T12:46:01.000000Z"}, {"uuid": "f6c5789e-402b-4784-869e-da41acd36c44", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50887", "type": "seen", "source": "https://gist.github.com/pyuysig/9de95fb39eb089a4346570d791af99a6", "content": "", "creation_timestamp": "2026-06-13T12:45:59.000000Z"}, {"uuid": "23bfc00e-c024-4b0e-ad75-9049b4a4a822", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5088", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mjkazid6lm2s", "content": "", "creation_timestamp": "2026-04-15T15:55:33.032811Z"}, {"uuid": "b1b612c5-ab52-4fd6-a6a9-3bd4dfc32993", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5088", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mjkbcgvips2r", "content": "", "creation_timestamp": "2026-04-15T16:00:33.913004Z"}, {"uuid": "c08b8e0e-fc62-4bc3-be77-968febbc6fd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50882", "type": "seen", "source": "https://gist.github.com/pyuysig/e5b8c018b2d323b0b4ddffb9ebce9a80", "content": "# Vulnerability Report: CVE-2026-50882 - paste - Compressed paste content can expand beyond request limits\n\n## Vulnerability Summary\nanna-is-cute paste 0.1.1 contains a denial-of-service issue in compressed paste content deserialization. An unauthenticated remote attacker can submit gzip- or xz-compressed content to /api/v0/pastes that expands far beyond the JSON request limit during deserialization, leading to resource exhaustion.\n\n## Affected Product\n- **Vendor**: anna-is-cute\n- **Product**: paste\n- **Version**: 0.1.1\n- **Vulnerable Component**: POST /api/v0/pastes, webserver/src/models/paste/mod.rs gzip_base64_serde and xz_base64_serde, webserver/src/database/models/pastes.rs create_file\n\n## Vulnerability Details\n- **Vulnerability Type**: Resource Management Error\n- **Weakness**: CWE-400, CWE-770\n- **Attack Conditions**: POST /api/v0/pastes with crafted gzip_base64 or xz_base64 content that expands after deserialization.\n\n## Report Body\n\n### Summary\nanna-is-cute paste 0.1.1 contains a denial-of-service issue in compressed paste content deserialization. An unauthenticated remote attacker can submit gzip- or xz-compressed content to /api/v0/pastes that expands far beyond the JSON request limit during deserialization, leading to resource exhaustion.\n\n### Details\nCompressed paste fields are decoded and decompressed during model deserialization. The configured JSON request size limit applies to the compressed representation, not the expanded output.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50882.\n3. Confirm the security result: A small compressed JSON field expands to content far larger than the 1 MiB request limit and consumes server resources during paste creation.\n\n### Impact\nUnauthenticated remote denial of service through decompression-based memory or disk amplification.\n\n## Remediation\nApply maximum decompressed-size limits, stream decompression with bounds, and reject compressed content that exceeds configured paste size limits.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:51.000000Z"}, {"uuid": "f252bd98-0dc8-41d7-8f98-5bea0d723618", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50881", "type": "seen", "source": "https://gist.github.com/pyuysig/68754e4c40161ea27fcf80be46c59e7c", "content": "# Vulnerability Report: CVE-2026-50881 - Bonsai - Editor role can access administrator operations\n\n## Vulnerability Summary\nimpworks Bonsai 6.0 contains an incorrect access control issue in shared admin authorization handling. An authenticated user with the Editor role can send direct requests to hidden administrator routes, allowing unauthorized account, password, and configuration changes.\n\n## Affected Product\n- **Vendor**: impworks\n- **Product**: Bonsai\n- **Version**: 6.0\n- **Vulnerable Component**: AdminAuthHandler, AdminControllerBase, UsersController, UsersManagerService, DynamicConfigController\n\n## Vulnerability Details\n- **Vulnerability Type**: Incorrect Access Control\n- **Weakness**: CWE-863\n- **Attack Conditions**: Remote authenticated Editor sends direct HTTP requests to hidden admin routes such as /admin/users/create, /admin/users/update, /admin/users/reset-password, or /admin/config.\n\n## Report Body\n\n### Summary\nimpworks Bonsai 6.0 contains an incorrect access control issue in shared admin authorization handling. An authenticated user with the Editor role can send direct requests to hidden administrator routes, allowing unauthorized account, password, and configuration changes.\n\n### Details\nAdministrator routes rely on shared authorization behavior that does not correctly exclude Editor-role users from sensitive account and configuration actions.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50881.\n3. Confirm the security result: An Editor-role user can access direct admin endpoints and perform administrative changes despite not being an administrator.\n\n### Impact\nPrivilege escalation from Editor to administrator-level operations.\n\n## Remediation\nRequire explicit administrator role checks on all administrator routes and add tests for each sensitive route.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:50.000000Z"}, {"uuid": "31254886-ee1c-4b7a-b813-e274aec09cf0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50880", "type": "seen", "source": "https://gist.github.com/pyuysig/4013f4f10f74b3fded7ddf41b6d36ae5", "content": "# Vulnerability Report: CVE-2026-50880 - YouTransfer - Sendmail transport executable path can be attacker-controlled\n\n## Vulnerability Summary\nYouTransfer 1.0.6 contains a command execution issue in sendmail transport configuration. An attacker who can modify email settings can configure the sendmail transport to use an attacker-chosen executable path and then trigger /send, causing the configured executable to be run.\n\n## Affected Product\n- **Vendor**: YouTransfer Project\n- **Product**: YouTransfer\n- **Version**: 1.0.6\n- **Vulnerable Component**: /settings/email, /send, lib/youtransfer.js sendmail transporter path\n\n## Vulnerability Details\n- **Vulnerability Type**: OS Command Injection\n- **Weakness**: CWE-78\n- **Attack Conditions**: Context-dependent. Modify email settings to use the sendmail transport with an attacker-chosen executable path, then trigger /send.\n\n## Report Body\n\n### Summary\nYouTransfer 1.0.6 contains a command execution issue in sendmail transport configuration. An attacker who can modify email settings can configure the sendmail transport to use an attacker-chosen executable path and then trigger /send, causing the configured executable to be run.\n\n### Details\nThe email settings path allows the sendmail transport executable to be configured and later used by the send operation. A crafted sender address can also be reinterpreted as an option by the spawned executable in the affected path.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50880.\n3. Confirm the security result: After setting the sendmail path to a controlled executable or payload, triggering a send operation executes that path.\n\n### Impact\nCommand execution in deployments where an attacker can modify email transport settings.\n\n## Remediation\nDo not allow untrusted users to configure executable paths. Restrict sendmail path to trusted server-side configuration and pass arguments safely.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:49.000000Z"}, {"uuid": "ba02ed42-1fdb-4d35-abdd-334f9c59c0a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50886", "type": "seen", "source": "https://gist.github.com/pyuysig/f5395f90753ba652835ba9c6abf4c4ae", "content": "", "creation_timestamp": "2026-06-13T12:45:58.000000Z"}]}