Local File Inclusion (LFI)

PrivateBin is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper validation of the template cookie in the template-switching feature, which allows an attacker to include arbitrary PHP files and potentially read sensitive data or achieve remote code execution...

PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal

Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if templateselection is enabled in the configuration, the server trusts the template cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file...

Relative Path Traversal

Overview privatebin/privatebin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Affected versions of this package are vulnerable to Relative Path Traversal via the template-switching feature when templateselection is enabled in the configuration. An...

CVE-2025-64714 PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If templateselection is enabled in the configuration, the server trusts the...