GHSA-r9x7-7ggj-fx9f · Severity: low · Ecosystem: composer — PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent. Certain conditions must exist for the vulnerability to be exploitable. Only macOS or Linux users are affected, due to the way the `>` character is treated in a file name on Windows. The PrivateBin instance needs to have file upload enabled. An attacker needs to have access to the local file system or somehow convince the user to create (or download) a malicious file (name). An attacker needs to convince the user to attach that malicious file to PrivateBin. Any Mac / Linux user who can be tricked into dragging a maliciously named file into the editor is impacted; code runs in the origin of the PrivateBin instance they are using. Attackers can steal plaintext, passphrases, or manipulate the UI before data is encrypted, defeating the zero-knowledge guarantees for that victim session, assuming counter-measures like Content-Security-Policy (CSP) have been disabled. If CSP is not disabled, HTML injection attacks may be possible - like redirecting to a foreign website, phishing etc. As the whole exploit needs to be included in the file name of the attached file and only affects the local session of the user (aka it is neither persistent nor remotely executable) and that user needs to interact and actively attach that file to the paste, the impact is considered to be practically low. Version 2.0.3 patches the issue.
Conclusion & alert: CVE-2025-64711 is rated Exploit Available (50/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.01%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2025-11-13 | — | 0.01% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 3.9 | 3.1 | LOW |
|
1.3 | 2.5 | [email protected] |
| 5.4 | 3.1 | MEDIUM |
|
2.3 | 2.7 | [email protected] |
GHSA-r9x7-7ggj-fx9f · Severity: low · Ecosystem: composer — PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| privatebin | privatebin | >= 1.7.7, < 2.0.3 | cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/PrivateBin/PrivateBin/commit/f9550e513381208b36595ee2404e968144bba78b | Patch |
| https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-r9x7-7ggj-fx9f | Exploit Mitigation Vendor Advisory |