Release v2.0.3 - Fix arbitrary PHP file inclusion & self-XSS vulnerabilities

Latest

github-actions released this 12 Nov 07:10

· 52 commits to master since this release

2.0.3

19ca6d3

FIXED: Prevent arbitrary PHP file inclusion when enabling template switching (CVE-2025-64714)
FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users (CVE-2025-64711)
FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)

This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&-dropping files into PrivateBin with malicious filenames. More details on this issue can be found in the security advisories:

Template-switching feature allowing arbitrary local file inclusion through path traversal
Malicious filename can be used for self-XSS / HTML injection locally for users

Assets 5

4 Join discussion

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Release v2.0.3 - Fix arbitrary PHP file inclusion & self-XSS vulnerabilities

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Uh oh!