PrivateBin Self-XSS Vulnerability via Malicious Filenames in Drag-and-Drop

A self-cross-site scripting vulnerability has been identified in PrivateBin versions 1.7.7 prior to 2.0.3. The issue arises when a file is dragged and dropped onto the PrivateBin interface, and the filename contains HTML. In such cases, the filename is reflected directly into the page as HTML, allowing the execution of arbitrary JavaScript in the user's session. This vulnerability can be exploited to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent. The vulnerability affects only macOS and Linux users, as Windows does not allow the '>' character in filenames. Additionally, the PrivateBin instance must have file upload enabled.

Impact

Exploitation of this vulnerability allows for self-cross-site scripting, where the injected JavaScript executes in the context of the user's session on the PrivateBin instance being used. This could lead to unauthorized access to plaintext data, encryption keys, or manipulation of the user interface before data is encrypted, thereby undermining PrivateBin's zero-knowledge privacy model for that session. If the Content-Security-Policy is not properly configured, similar HTML injection attacks as described in CVE-2025-62796 could be possible.

Reproduction

To reproduce this vulnerability, create a file on a macOS or Linux system with a name that includes HTML or JavaScript, such as a file with an image source payload. Then, upload this file to a PrivateBin instance with file uploads enabled. When the file is dropped into the PrivateBin editor, the filename will be processed as HTML, executing any embedded scripts, such as an alert displaying the document domain.

Remediation

Users are advised to upgrade to PrivateBin version 2.0.3, which addresses this vulnerability. For those unable to upgrade, it is recommended to disable file attachments in the PrivateBin configuration or to deploy PrivateBin on a separate domain to limit the vulnerability's scope.