Release v2.0.2 - Fix HTML injection/XSS vulnerability in filenames of attached files

[elrido]

• CHANGED: Upgrading libraries to: DOMpurify 3.3.0
• CHANGED: Refactored jQuery DOM element creation into plain JavaScript
• FIXED: Sanitize file name in attachment size hint (CVE-2025-62796 / GHSA-867c-p784-5q6g)
• FIXED: PHP OPcache module is optional again (Make OPcache optional #1679)
• FIXED: bootstrap template password peek input group display

This release addresses an issue with the lacking sanitation of file names when displaying attached files. This issue affects instances that enable fileupload. More details on this issue can be found in the security advisory.

---

This discussion was created from the release Release v2.0.2 - Fix HTML injection/XSS vulnerability in filenames of attached files.

[tristanlatr]

Thanks for the patch!

I'd suggest to add a big red banner to the release changelog of all affected versions in https://github.com/PrivateBin/PrivateBin/releases saying that the version is vulnerable to injection and should be avoided.

[elrido]

We did that for 1.7.2, so should better be consistent and do it also for other releases.

Here is a list I collected of all releases per changelog (which reminds me to update it with the 1.7.9 backport) and links to the reports on the fix-releases and marked x when affected by one of those linked issues:

• 2.0.3 fixes for https://privatebin.info/reports/vulnerability-2025-11-12-templates.html & https://privatebin.info/reports/vulnerability-2025-11-12-templates.html
• 2.0.2 x fix for https://privatebin.info/reports/vulnerability-2025-10-28.html
• 2.0.1 x
• 2.0.0 x
• 1.7.8 x
• 1.7.7 x
• 1.7.6
• 1.7.5
• 1.7.4 fix for https://privatebin.info/reports/vulnerability-2024-07-09.html
• 1.7.3 x
• 1.7.2 x
• 1.7.1 x
• 1.7.0 x
• 1.6.2 x
• 1.6.1 x
• 1.6.0 x
• 1.5.2 x
• 1.5.1 x
• 1.5 x
• 1.4 fix for https://privatebin.info/reports/vulnerability-2022-04-09.html
• 1.3.5 x
• 1.3.4 x
• 1.3.3 x
• 1.2.3 x
• 1.3.2 x fix for https://privatebin.info/reports/vulnerability-2020-01-11.html
• 1.2.2 x
• 1.3.1 x
• 1.3 x
• 1.2.1 fix for https://privatebin.info/reports/vulnerability-2018-08-11.html
• 1.2 x
• 1.1.1 x fix for https://privatebin.info/reports/vulnerability-2017-09-29.html
• 1.1 x
• 1.0 x
• 0.22 x
• 0.21.1 x
• 0.21 x
• 0.20 x

So if I spot that correctly, the only releases we can currently recommend (other than the latest one) are 1.4, 1.7.4 - 1.7.6, 1.7.9 and 2.0.3. So, recommend anyone before 1.4 to upgrade to 2.0.3, 1.7.9 or 1.4.0, etc.?

[rugk]

That said if we do that for each release it's really cumbersome. I mean suggestion anyway is to always use the latest release anyway, hmm. (or maybe only the latest major release before the fix?)

But yeah if someone wants to do that. We can use these big warning boxes or so.

[elrido]

Yes, it's indeed a lot of work for very little payoff. And if we find another issue that affects 1.4 or the remaining 1.7 ones we have to go back to those. Simpler to stick to recommending to only use the latest release whenever possible. We're not getting payed to do this...