CVE-2025-64714

Name of the Vulnerable Software and Affected Versions PrivateBin versions 1.7.7 through 2.0.2

Description PrivateBin contains a Local File Inclusion issue in the template-switching feature. If templateselection is enabled in the configuration, the server trusts the template cookie and includes the referenced PHP file. An attacker can potentially read sensitive data or, if they manage to drop a PHP file elsewhere, gain remote code execution. The issue stems from changes made in commit 44f8cfbfb8df4b4bec1cbf79aa8ce51abdb18be3, which introduced a trust mechanism for the template cookie. The View::getTemplateFilePath() function constructs a path to the template file, and View::draw() includes the file. The vulnerability is exploitable by sending a request with a malicious template cookie, such as template=../cfg/conf, pointing to a PHP file without its suffix. The issue is only possible if templateselection is enabled. The vulnerability could be used to chain more attacks or execute other PHP files on the host system if they exist and the path can be guessed.

Recommendations Update to PrivateBin version 2.0.3 or later. As a workaround, set templateselection = false in cfg/conf.php or remove it entirely.