Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper. (CVE-2025-64711)

An unauthenticated Local File Inclusion exists in the template-switching feature. (CVE-2025-64714)

We've identified an HTML injection/XSS vulnerability in the PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename. This has been mitigated in PrivateBin 2.0.2.

A bypass of the YOURLS proxy URL filter has been mitigated in PrivateBin 1.7.4.

An XSS vulnerability was found in the SVG attachment preview, which has been mitigated in PrivateBin v1.4.0.

On 25th of December 2019 an XSS vulnerability has been discovered, which has been fixed in PrivateBin v1.3.2 & v1.2.2.

On 31st of August, @cryptolok reported a cryptographic vulnerability in PrivateBin, which has been fixed in PrivateBin v1.2.1.

On 29th of September, @pstn reported a medium data leak vulnerability in PrivateBin, which has been fixed in PrivateBin v1.1.1.

Measures taken against the issues raised in the 2014 ZeroBin security audit.