CVE-2025-64711: PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users

Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent.

Note 1: as the malicious filename must contain the > character, the victim must not be using Windows for this to work, since this OS simply forbids this character in filenames.

Note 2: most PrivateBin instances use the Content-Security-Policy header to prevent most use-cases of this vulnerability. This report will describe the impact as if this header had been disabled by the PrivateBin instance owner.