Description
An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.
Published: 2026-06-15
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An HTML injection flaw exists in the /src/highlight.rs component of matze wastebin version 3.4.1. The vulnerability allows an attacker to craft a payload that injects arbitrary JavaScript, giving them the ability to execute code in the victim’s browser. The impact is equivalent to remote code execution, potentially leading to data theft, defacement, or further compromise. The flaw is a classic Cross‑Site Scripting issue identified as CWE‑79 and carries a CVSS score of 9.6.

Affected Systems

The only publicly documented affected version is matze wastebin v3.4.1. No other versions or products are listed as impacted. Users running this exact version should assume it is vulnerable.

Risk and Exploitability

The EPSS score of less than 1% suggests that, as of the latest data, exploitation has not been widely observed, but the critical CVSS rating means the potential damage is high. The vulnerability appears to be exploitable via crafted requests or input that reaches the highlight.rs endpoint; the exact attack vector is inferred from the description of a crafted payload. The project is not currently listed in the CISA KEV catalog, but the seriousness of the flaw warrants caution.

Generated by OpenCVE AI on June 18, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade matze wastebin to the latest available release that fixes highlight.rs; if a newer version is not yet available, upgrade as soon as possible.
  • Apply a temporary input sanitization workaround by filtering or escaping any HTML content processed by highlight.rs, ensuring that script tags are removed or neutralized before rendering.
  • Deploy a strict Content Security Policy that blocks inline scripts and restricts script execution to trusted origins for any pages rendering output from highlight.rs.
  • Restrict access to the highlight.rs endpoint to authenticated and authorized users whenever feasible to reduce exposure.

Generated by OpenCVE AI on June 18, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Matze
Matze wastebin
Vendors & Products Matze
Matze wastebin

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title HTML Injection in matze wastebin Enables Arbitrary Script Execution

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title HTML Injection in matze wastebin Enables Arbitrary Script Execution

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:38:04.665Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50883

cve-icon Vulnrichment

Updated: 2026-06-16T14:37:57.879Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:31.267

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-50883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')