This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&-dropping files into PrivateBin with malicious filenames.

Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper. (CVE-2025-64711)

An unauthenticated Local File Inclusion exists in the template-switching feature. (CVE-2025-64714)

We've identified an HTML injection/XSS vulnerability in the PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename. This has been mitigated in PrivateBin 2.0.2.

This release fixes a security vulnerability that allowed HTML injection/XSS (CVE-2025-62796).

This release changes configuration defaults including switching the template and removing legacy features.

A bypass of the YOURLS proxy URL filter has been mitigated in PrivateBin 1.7.4.

This release asks for confirmation, before loading burn after reading pastes.

This release adds translations for Japanese & Arabic and increases the minimal required PHP version to 7.3.

This release contains an improvement for the S3 storage & updates several libraries.