PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name) when attachments are enabled. An attacker can modify attachment_name before encryption so that, after decryption, arbitrary HTML is inserted unescaped into the page near the file size hint, enabling redirect (e.g., meta refresh) and site defacement and related phishing attacks. Script execution is normally blocked by the recommended Content Security Policy, limiting confidentiality impact. The issue was introduced in 1.7.7 and fixed in 2.0.2. Update to 2.0.2 or later. Workarounds include enforcing the recommended CSP, deploying PrivateBin on a separate domain, or disabling attachments.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6e1105d8-bfc2-11f0-bb2b-ecf4bbefc954 advisory.

    privatebin reports:
    Dragging a file whose filename contains HTML is reflected verbatim               into the page via the drag-and-drop helper, so any user who drops a               crafted file on PrivateBin will execute arbitrary JavaScript within               their own session (self-XSS). This allows an attacker who can entice               a victim to drag or otherwise attach such a file to exfiltrate               plaintext, encryption keys, or stored pastes before they are               encrypted or sent.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

There are packages installed that are affected by a vulnerability referenced in the following CVE:

  - PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7
    through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name)
    when attachments are enabled. An attacker can modify attachment_name before encryption so that, after
    decryption, arbitrary HTML is inserted unescaped into the page near the file size hint, enabling redirect
    (e.g., meta refresh) and site defacement and related phishing attacks. Script execution is normally
    blocked by the recommended Content Security Policy, limiting confidentiality impact. The issue was
    introduced in 1.7.7 and fixed in 2.0.2. Update to 2.0.2 or later. Workarounds include enforcing the
    recommended CSP, deploying PrivateBin on a separate domain, or disabling attachments. (CVE-2025-62796)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the a8dacd4b-b416-11f0-9f23-ecf4bbefc954 advisory.

    PrivateBin reports:
    We've identified an HTML injection/XSS vulnerability in the PrivateBin                service that allows the injection of arbitrary HTML markup via the attached                filename.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
275368	FreeBSD : privatebin XSS (6e1105d8-bfc2-11f0-bb2b-ecf4bbefc954)	Nessus	FreeBSD Local Security Checks	medium
435839	SCA: security update for privatebin/privatebin (GHSA-867c-p784-5q6g)	Tenable Cloud Security	SCA Checks	medium
435839	SCA: security update for privatebin/privatebin (GHSA-867c-p784-5q6g)	Tenable Self-Hosted Container Security	SCA Checks	medium
271952	FreeBSD : privatebin - Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS (a8dacd4b-b416-11f0-9f23-ecf4bbefc954)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2025-62796

medium

Tenable Plugins

medium

medium

medium

medium