3 matches found
CVE-2022-24833
CVE-2022-24833 is a Persistent XSS in PrivateBin caused by SVG attachments with JavaScript before v1.4.0. The issue originates from how image previews were rendered for attachments (introduced around v0.21) and could execute code when a user opened a crafted SVG, bypassed or mishandled CSP. Affec...
CVE-2020-5223
CVE-2020-5223 affects PrivateBin: 1.2.0 before 1.2.2 and 1.3.0 before 1.3.2. The root cause is an unescaped user-provided attachment filename that can inject HTML, enabling a persistent XSS when a paste is viewed (e.g., via cloning). The issue has been fixed in PrivateBin v1.3.2 and v1.2.2. Upgra...
CVE-2025-64711
CVE-2025-64711 affects PrivateBin versions 1.7.7–2.0.3. A drag-and-drop filename containing HTML is rendered as HTML in the drag-and-drop helper, enabling self‑XSS in the victim’s session on macOS/Linux when file uploads are enabled. An attacker must entice the user to attach a maliciously named ...