CVE-2025-62796: PrivateBin is missing HTML sanitization of attached filename in file size hint
(updated )
We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename. Below are the technical details, PoC, reproduction steps, impact, and mitigation recommendations.
Recommend action: As the vulnerability has been fixed in the latest version, users are strongly encouraged to upgrade PrivateBin to the latest version and check that a strong CSP header, just as the default suggested one, is delivered.
Summary of the vulnerability: The attachment_name field containing the attached file name is included in the object that the client encrypts and is eventually rendered in the DOM without proper escaping.
References
- github.com/PrivateBin/PrivateBin
- github.com/PrivateBin/PrivateBin/commit/c4f8482b3072be7ae012cace1b3f5658dcc3b42e
- github.com/PrivateBin/PrivateBin/pull/1550
- github.com/PrivateBin/PrivateBin/security/advisories/GHSA-867c-p784-5q6g
- github.com/advisories/GHSA-867c-p784-5q6g
- nvd.nist.gov/vuln/detail/CVE-2025-62796
Code Behaviors & Features
Detect and mitigate CVE-2025-62796 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →