CVE-2025-62796
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2025-10-30

Assigner: GitHub, Inc.

Description
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name) when attachments are enabled. An attacker can modify attachment_name before encryption so that, after decryption, arbitrary HTML is inserted unescaped into the page near the file size hint, enabling redirect (e.g., meta refresh) and site defacement and related phishing attacks. Script execution is normally blocked by the recommended Content Security Policy, limiting confidentiality impact. The issue was introduced in 1.7.7 and fixed in 2.0.2. Update to 2.0.2 or later. Workarounds include enforcing the recommended CSP, deploying PrivateBin on a separate domain, or disabling attachments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62796
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
privatebin privatebin 1.7.7
privatebin privatebin 2.0.2
privatebin privatebin 2.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in PrivateBin versions 1.7.7 through 2.0.1 allows an attacker to perform persistent HTML injection via the unsanitized attachment filename (attachment_name) when attachments are enabled. The attacker can modify the attachment_name before encryption so that after decryption, arbitrary HTML is inserted unescaped into the page near the file size hint. This can enable redirects (such as meta refresh), site defacement, and phishing attacks. The vulnerability was introduced in version 1.7.7 and fixed in 2.0.2.

Impact Analysis

The vulnerability can lead to site defacement, phishing attacks, and redirects by injecting arbitrary HTML into the page. Although script execution is normally blocked by the recommended Content Security Policy (CSP), the injected HTML can still be used for malicious purposes such as redirecting users to malicious sites or displaying misleading content. This impacts the integrity and trustworthiness of the site but does not affect confidentiality or availability.

Mitigation Strategies

To mitigate this vulnerability, immediately update PrivateBin to version 2.0.2 or later. Alternatively, you can enforce the recommended Content Security Policy (CSP), deploy PrivateBin on a separate domain, or disable attachments to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62796. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart