| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.0 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in PrivateBin up to 2.0.2 and classified as problematic. This affects an unknown function of the component File Handler. Performing a manipulation results in cross site scripting. This vulnerability is reported as CVE-2025-64711. The attack requires a local approach. No exploit exists. The affected component should be upgraded.
Details
A vulnerability classified as problematic has been found in PrivateBin up to 2.0.2. This affects an unknown part of the component File Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. The summary by CVE is:
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent. Certain conditions must exist for the vulnerability to be exploitable. Only macOS or Linux users are affected, due to the way the `>` character is treated in a file name on Windows. The PrivateBin instance needs to have file upload enabled. An attacker needs to have access to the local file system or somehow convince the user to create (or download) a malicious file (name). An attacker needs to convince the user to attach that malicious file to PrivateBin. Any Mac / Linux user who can be tricked into dragging a maliciously named file into the editor is impacted; code runs in the origin of the PrivateBin instance they are using. Attackers can steal plaintext, passphrases, or manipulate the UI before data is encrypted, defeating the zero-knowledge guarantees for that victim session, assuming counter-measures like Content-Security-Policy (CSP) have been disabled. If CSP is not disabled, HTML injection attacks may be possible - like redirecting to a foreign website, phishing etc. As the whole exploit needs to be included in the file name of the attached file and only affects the local session of the user (aka it is neither persistent nor remotely executable) and that user needs to interact and actively attach that file to the paste, the impact is considered to be practically low. Version 2.0.3 patches the issue.
It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2025-64711 since 11/10/2025. The exploitability is told to be easy. Attacking locally is a requirement. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.
Upgrading to version 2.0.3 eliminates this vulnerability. Applying the patch f9550e513381208b36595ee2404e968144bba78b is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at CNNVD (CNNVD-202511-1671) and EUVD (EUVD-2025-150355). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.0VulDB Meta Temp Score: 4.0
VulDB Base Score: 2.8
VulDB Temp Score: 2.7
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 5.4
NVD Vector: 🔒
CNA Base Score: 3.9
CNA Vector (GitHub_M): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Cross site scriptingCWE: CWE-79 / CWE-94 / CWE-74
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: PrivateBin 2.0.3
Patch: f9550e513381208b36595ee2404e968144bba78b
Timeline
11/10/2025 CVE reserved11/13/2025 Advisory disclosed
11/13/2025 VulDB entry created
11/27/2025 VulDB entry last update
Sources
Product: github.comAdvisory: GHSA-r9x7-7ggj-fx9f
Status: Confirmed
CVE: CVE-2025-64711 (🔒)
GCVE (CVE): GCVE-0-2025-64711
GCVE (VulDB): GCVE-100-332307
EUVD: 🔒
CNNVD: CNNVD-202511-1671 - PrivateBin 安全漏洞
Entry
Created: 11/13/2025 07:52Updated: 11/27/2025 08:01
Changes: 11/13/2025 07:52 (66), 11/14/2025 17:43 (6), 11/14/2025 23:02 (1), 11/15/2025 15:04 (1), 11/16/2025 15:42 (1), 11/27/2025 08:01 (11)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.