Download Latest Version
Release v1.7.9 - Fix arbitrary PHP file inclusion, HTML injection_XSS vulnerability in filenames of attached files _ self-XSS vulnerabilities source code.tar.gz (768.7 kB)
Get an email when there's a new version of PrivateBin
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| PrivateBin-1.7.9.zip.asc | 2025-11-13 | 833 Bytes | |
| PrivateBin-1.7.9.tar.gz.asc | 2025-11-13 | 833 Bytes | |
| multiple.intoto.jsonl | 2025-11-13 | 22.0 kB | |
| README.md | 2025-11-13 | 1.9 kB | |
| Release v1.7.9 - Fix arbitrary PHP file inclusion, HTML injection_XSS vulnerability in filenames of attached files _ self-XSS vulnerabilities source code.tar.gz | 2025-11-13 | 768.7 kB | |
| Release v1.7.9 - Fix arbitrary PHP file inclusion, HTML injection_XSS vulnerability in filenames of attached files _ self-XSS vulnerabilities source code.zip | 2025-11-13 | 933.5 kB | |
| Totals: 6 Items | 1.7 MB | 0 | |
- CHANGED: Upgrading libraries to: base-x 5.0.1, bootstrap 5.3.8, DOMpurify 3.2.7, ip-lib 1.21.0 & kjua 0.10.0
- CHANGED: Refactored jQuery DOM element creation into plain JavaScript
- FIXED: Prevent arbitrary PHP file inclusion when enabling template switching
- FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
- FIXED: Sanitize file name in attachment size hint
- FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)
- FIXED: traffic limiter not working when using Filesystem storage and PHP opcache
- FIXED: Configuration combinations test errors
This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&-dropping files into PrivateBin with malicious filenames. More details on this issue can be found in the security advisories:
- Template-switching feature allowing arbitrary local file inclusion through path traversal (CVE-2025-64714)
- Malicious filename can be used for self-XSS / HTML injection locally for users (CVE-2025-64711)
- Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS, defacement, open redirect attacks etc. (CVE-2025-62796)
Note that as per our security policy, we only consider the latest release to be supported, so do consider upgrading your 1.7 install to 2.x as soon as possible. This backport was provided due to the major changes that come with the 2.x release and for use in installations that don't yet have PHP 7.4 or later support available.
