This release fixes a security vulnerability that allowed HTML injection/XSS (CVE-2025-62796.
The vulnerability allows attackers to inject arbitrary HTML into the filename displayed near the file size hint, when attachments are enabled. This is by definition a XSS vulnerability (CWE-80), in this case even a persistent XSS. As any HTML can be injected, basically, this can e.g. be used to inject a script tag (as per CWE-79).
This has been mitigated in PrivateBin 2.0.2, so we strongly urge users to update.
More details of the vulnerability, mtigation etc. can be found in the vulnerability report.
Changes since v2.0.1
- CHANGED: Upgrading libraries to: DOMpurify 3.3.0
- CHANGED: Refactored jQuery DOM element creation into plain JavaScript
- FIXED: Sanitize file name in attachment size hint (CVE-2025-62796 / https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-867c-p784-5q6g)
- FIXED: PHP OPcache module is optional again (#1679)
- FIXED: bootstrap template password peek input group display
Help wanted & greatly appreciated
Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.
What can we offer you in return for your help?
- We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.
- Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.
- PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming than larger projects.
- We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.
- You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.
- It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.
If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the discussion area or reach us via email.