CVE-2025-64714: PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal

November 14, 2025

An unauthenticated Local File Inclusion exists in the template-switching feature: if templateselection is enabled in the configuration, the server trusts the template cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file elsewhere, gain RCE.

References

github.com/PrivateBin/PrivateBin
github.com/PrivateBin/PrivateBin/commit/4434dbf73ac53217fda0f90d8cf9b6110f8acc4f
github.com/PrivateBin/PrivateBin/security/advisories/GHSA-g2j9-g8r5-rg82
github.com/advisories/GHSA-g2j9-g8r5-rg82
nvd.nist.gov/vuln/detail/CVE-2025-64714

Code Behaviors & Features

Detect and mitigate CVE-2025-64714 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →