Ian Budd

**Name of the Vulnerable Software and Affected Versions** PrivateBin versions prior to 1.4.0 **Description** A cross-site scripting (XSS) issue was found in PrivateBin, which is a minimalist, open source online pastebin clone. The problem arises because SVGs can contain JavaScript, allowing an attacker to execute code if a user opens a paste with a specifically crafted SVG attachment and interacts with the preview image. This can happen if the instance isn't protected by an appropriate content security policy. The issue is present in all versions from 0.21 of the project, which was initially called ZeroBin. **Recommendations** For versions prior to 1.4.0, upgrade to version 1.4.0 to resolve the issue. As a temporary workaround, ensure the content security policy of the instance is set correctly to minimize the risk of exploitation.