79 matches found
GHSA-VM85-HXW5-5432 vulnerabilities
Vulnerabilities for packages: drupal, privatebin, nextcloud-server...
GHSA-CWXW-98QJ-8QJX vulnerabilities
Vulnerabilities for packages: drupal, privatebin, nextcloud-server...
CVE-2026-55766 vulnerabilities
Vulnerabilities for packages: drupal, privatebin, nextcloud-server...
CVE-2026-55767 vulnerabilities
Vulnerabilities for packages: drupal, privatebin, nextcloud-server...
GHSA-WPWQ-4J6V-78M3 vulnerabilities
Vulnerabilities for packages: drupal, privatebin, nextcloud-server...
CVE-2026-55568 vulnerabilities
Vulnerabilities for packages: drupal, privatebin, nextcloud-server...
CVE-2024-39899
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. In v1.5, PrivateBin introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication toke...
Self Cross-Site Scripting (Self-XSS)
privatebin/privatebin is vulnerable to self cross-site scripting Self-XSS. The vulnerability is due to improper handling and reflection of HTML content in filenames via the drag-and-drop helper, which allows an attacker to trick a macOS or Linux user into attaching a maliciously crafted file and...
Local File Inclusion (LFI)
PrivateBin is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper validation of the template cookie in the template-switching feature, which allows an attacker to include arbitrary PHP files and potentially read sensitive data or achieve remote code execution...
Persistent HTML Injection
privatebin/privatebin is vulnerable to persistent HTML injection. The vulnerability is due to an unsanitized attachment filename attachmentname when attachments are enabled, which allows an attacker to modify the filename before encryption so that, after decryption, arbitrary HTML is inserted...
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session self-XSS. This allows an attacker who can entice a victim to drag or...
EUVD-2025-150355
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users...
GHSA-R9X7-7GGJ-FX9F PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session self-XSS. This allows an attacker who can entice a victim to drag or...
EUVD-2025-175312
PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal...
GHSA-G2J9-G8R5-RG82 PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal
Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if templateselection is enabled in the configuration, the server trusts the template cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file...
CVE-2025-64714
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If templateselection is enabled in the configuration, the server trusts the...
CVE-2025-64711
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on...
CVE-2025-64714
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If templateselection is enabled in the configuration, the server trusts the...
Relative Path Traversal
Overview privatebin/privatebin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Affected versions of this package are vulnerable to Relative Path Traversal via the template-switching feature when templateselection is enabled in the configuration. An...
CVE-2025-64714 PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If templateselection is enabled in the configuration, the server trusts the...