External risk intelligence

Matze Wastebin HTML Injection Executes Arbitrary Scripts

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-50883

An HTML injection vulnerability in a component of matze wastebin could allow attackers to execute arbitrary scripts via crafted input. This could potentially impact application behavior or lead to unauthorized actions if the affected system is reachable and processes malicious content.

4Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-50883

The vulnerability affects a wastebin application, which is typically deployed as a public-facing web service intended to receive and display content from users over the internet.

PCI scan relevance

PCI Relevance for CVE-2026-50883

Yes

CVE-2026-50883 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for script execution, which typically leads to an automatic failure in PCI ASV scans and requires remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An HTML injection vulnerability exists in a component of matze wastebin that could allow unauthorized scripts to run. This could potentially lead to compromise if the affected system is exposed to malicious input.

  • Web component allows script injection.
  • Matters for unconfirmed exposure and relevance.
  • Confirm if this wastebin system is exposed.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted payload to the matze wastebin application. This payload would be processed by the `/src/highlight.rs` component, which is susceptible to HTML injection. Successful exploitation could allow an attacker to execute arbitrary scripts within the user's browser, potentially leading to further compromise.

  • No authentication required.
  • Crafted payload sent to web service.
  • Arbitrary script execution.

Live Threat

Current exploitation, exposure, and threat context

An HTML injection vulnerability in the `/src/highlight.rs` component could allow attackers to execute arbitrary scripts by tricking users into clicking a crafted payload. This could impact the application's behavior and potentially lead to unauthorized actions or data exposure if the application processes sensitive information.

  • Application behavior and sensitive data.
  • Via crafted payload and user interaction.
  • Unauthorized script execution and data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

This HTML injection vulnerability in the `/src/highlight.rs` component impacts wastebin applications that are likely internet-facing web services. Ownership will likely fall to the application team responsible for the wastebin service, with support from the security or network team to assess external exposure. The first step is to confirm the presence and reachability of the affected service to determine the actual risk.

  • Application owners should investigate usage.
  • Verify external access and business criticality.
  • Plan remediation based on exposure.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is matze wastebin?

Matze wastebin is a lightweight web-based application designed for storing and sharing snippets of text or code. It is commonly used by developers or teams to quickly host logs, configuration files, or programming fragments for collaborative viewing. The software processes user-submitted content to present it in a readable format, which involves parsing the text before displaying it in a browser.

How does CVE-2026-50883 work?

This is an HTML injection vulnerability, classified as CWE-79. It occurs because the application fails to properly sanitize user input in the highlight component. Instead of treating input as plain text, the software interprets malicious HTML or script tags as active code. When a victim views the affected snippet, the browser executes these unauthorized scripts, allowing the content to run within the user's session context.

Do I need to be logged in to trigger this bug?

No, authentication is not required to trigger this vulnerability. An attacker can initiate the process simply by submitting a specially crafted payload to the wastebin service. However, the script itself does not execute until a user views the malicious content. It is not triggered by automated backend processes that do not involve rendering the payload in a web browser.

Is my instance of matze wastebin at risk?

Halo Surface Signal indicates this vulnerability is likely relevant to your environment if your instance is internet-facing. Because wastebin applications are typically deployed to receive and display content from the public, they often lack strict access controls. If your service is reachable from the internet, it is more easily accessible for an attacker to submit malicious payloads that others might subsequently view.

When should I take action for this CVE?

Prioritize investigating this if you currently run matze wastebin v3.4.1. First, verify the deployment context and check if your instance is accessible to external users. If the application is live, coordinate with the responsible team to confirm if user-supplied content is being rendered. Once reachability is confirmed, move to evaluate the business impact and prioritize applying updates or restricting access to the web interface.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified