CVE-2025-64711

Name of the Vulnerable Software and Affected Versions PrivateBin versions 1.7.7 through 2.0.2

Description PrivateBin is an online pastebin system designed with zero knowledge of pasted data. Versions from 1.7.7 up to 2.0.2 are susceptible to a self-cross-site scripting issue. Dragging a file with a filename containing HTML into the application can lead to the execution of arbitrary JavaScript within the user's session. This allows an attacker to potentially exfiltrate plaintext, encryption keys, or stored pastes before encryption, effectively compromising the zero-knowledge guarantees for that session. The attack requires the user to be on macOS or Linux, file uploads must be enabled, and the user must be tricked into attaching a maliciously named file. The impact is considered low as the exploit is contained within the file name and affects only the local session of the user who attaches the file. If Content-Security-Policy (CSP) is enabled, HTML injection attacks, such as redirection or phishing, may be possible.

Recommendations Versions prior to 2.0.3 should be updated to version 2.0.3 or later.