CVE-2025-62796

Name of the Vulnerable Software and Affected Versions PrivateBin versions 1.7.7 through 2.0.1

Description PrivateBin is an online pastebin designed to ensure the server has no knowledge of pasted data. Versions 1.7.7 through 2.0.1 are susceptible to persistent HTML injection. This occurs through an unsanitized attachment name when attachments are enabled. An attacker can modify the attachment name before encryption, resulting in arbitrary HTML being inserted unescaped into the page after decryption, near the file size hint. This can lead to redirect attacks (e.g., using meta refresh) and site defacement, potentially enabling phishing attacks. The issue was introduced in version 1.7.7 and resolved in version 2.0.2. The recommended Content Security Policy normally blocks script execution, limiting confidentiality impact.

Recommendations Update to version 2.0.2 or later. Enforce the recommended Content Security Policy. Deploy PrivateBin on a separate domain. Disable attachments.