SCA: security update for privatebin/privatebin (GHSA-867c-p784-5q6g)

medium Tenable Self-Hosted Container Security Plugin ID 435839

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7
through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name)
when attachments are enabled. An attacker can modify attachment_name before encryption so that, after
decryption, arbitrary HTML is inserted unescaped into the page near the file size hint, enabling redirect
(e.g., meta refresh) and site defacement and related phishing attacks. Script execution is normally
blocked by the recommended Content Security Policy, limiting confidentiality impact. The issue was
introduced in 1.7.7 and fixed in 2.0.2. Update to 2.0.2 or later. Workarounds include enforcing the
recommended CSP, deploying PrivateBin on a separate domain, or disabling attachments. (CVE-2025-62796)

Plugin Details

Severity: Medium

ID: 435839

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 10/29/2025

Updated: 6/1/2026

Risk Information

VPR

Risk Factor: Low

Score: 1.6

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2025-62796

CVSS v3

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/28/2025

Vulnerability Publication Date: 10/28/2025

Reference Information

CVE: CVE-2025-62796

cwe: CWE-601, CWE-79

Detections

Analytics