PrivateBin

Fixes for arbitrary PHP file inclusion via template switching (CVE-2025-64714), self-XSS via malicious filenames (CVE-2025-64711), and inability to create a new paste from a cloned one when a JSON file is attached (#1585).

Upgrade DOMpurify to 3.3.0, replace jQuery DOM creation with plain JS, fix file name sanitization in attachment size hints (CVE-2025-62796), make OPcache optional again, and fix password peek display in the bootstrap template.

Adds auto URL shortening (config shortenbydefault), new shortenviashlink endpoint with shlink, password peek; updates Bootstrap 5.3.8, DOMPurify 3.2.7, ip-lib 1.21.0; fixes decrypt paste, copy shortened URL, CSP frame-ancestors URL extraction, and traffic limiter with opcache.

This release makes defaults: bootstrap5 template, jdenticon icons, SI data sizes, renamed “document” and removed the page template and v1/ZeroBin support; introduces v2 format, drops legacy columns, raises PHP to 7.4, with upgrade guidance.

Fixed duplicate attachments across comments, prevented attachments with empty file names, and corrected the page template script loading order.

Adds UI template switching and multi-file uploads, shows file name/size on downloads, reduces memory by passing large data by reference, removes ctype polyfill, upgrades DOMPurify 3.2.6 and ip-lib 1.20.0, CSP note for PDFs, and various fixes.

Adds copy-to-clipboard via icon or Ctrl/Cmd+C, keyboard navigation toggle, WASM streaming with wasm-unsafe-eval CSP (server MIME type required), replaces strpos with str_starts_with/str_contains (polyfills included), paste-delete as button, library upgrades, UI tweaks, and language-change redirect fix.

Adds non-persistent SQL connections when configured; displays a redirect button after paste deletion; updates footer styling; simplifies PostgreSQL table lookup; makes SRI hashes configurable; updates libraries (DOMpurify, ip-lib, cloud-storage, aws-sdk-php); fixes numeric array keys being cast under strict mode.

This release switches saved markdown to .md, enables strict PHP typing, tweaks bootstrap5 template, and fixes reset password field, upgrade-skipping for DB, dark mode toggle, and prevents YOURLS proxy bypass (see security advisory).

Updated bootstrap5 template with community tweaks; upgraded DOMpurify to 3.1.3; fixed expiration selection not applying when using the bootstrap template.

Adds an optional Bootstrap 5.3-based template, input sanitation, shortened URLs in query params, upgrades DOMPurify 3.1.2 and jQuery 3.7.1; API no longer returns create, PHP minimum 7.3, SameSite lax cookies, cache-header fixes, and button label now “Create.”

Fixed the Wasm file reference for zlib 1.3.1.

Adds Romanian translations and paste-damage detection; requires confirmation before loading burns; focuses password input in modal; upgrades DOMpurify 3.0.8 and zlib 1.3.1; fixes include URL validation for shorteners, overlapping email TZ buttons, language URL mangling, and unnecessary default URL reload.

Fixed: English not selectable when language selection is enabled; fixed SRI mismatch caused by a cached file change.

Adds Right-To-Left (RTL) support for Arabic and Hebrew and upgrades DOMpurify to 3.0.6.

Adds Japanese and Arabic translations; makes the Email button configurable (enabled by default); raises minimum PHP version to 7.3 (PHPUnit upgrade) and drops the PHP 5 random_bytes polyfill.

This patch enables AWS S3 to use the default credential provider chain, exposes JSON-LD types, fixes PHP 8.2 deprecations, and updates DOMpurify 3.0.4 and jQuery 3.7.0 with security fixes.

This patch reverts the filesystem purge to a limited, randomized lookup, adds an administration script for managing pastes and statistics, fixes JSON decode errors, and updates GCS/S3 libraries.

Adds S3 storage backend with a migration script, four new translations, Jdenticons icon option, library updates, MySQL/MariaDB tweaks, and YOURLS proxy integration.

This release improves SVG preview security, adds Google Cloud Storage and Oracle DB backends, expands translations (Corsican, Estonian, Finnish, Lojban), updates libraries, and enables migrations without data-dir write access.

This release fixes multiple issues, adds four translations (Hebrew, Lithuanian, Indonesian, Catalan), updates libraries, makes project info configurable, and opens links in new tabs by default; upgrade 1.3.x.

Release 1.3.4 fixes HTML entity encoding, enables custom email expiration options, resolves paste-with-attachment password issues, and updates identicon to 2.0.0, raising the PHP minimum to 5.6.

This release fixes HTML entity double-encoding from 1.3.2, expands XSS protection to server-side templating, updates DOMpurify to 2.0.8, and includes updated translations.

Fixes HTML entity double-encoding from 1.3.2, expands XSS protection to server-side templating, and upgrades DOMPurify to 2.0.8.

This release patches a persistent XSS via attachment filenames, updates libraries (base-x 3.0.7, DOMpurify 2.0.7, Showdown 1.9.1), and offers a backport option for legacy browsers.

PrivateBin fixes a persistent XSS via unescaped attachment filenames, includes broad security improvements and library upgrades (Bootstrap, DOMPurify, jQuery, etc.), and recommends upgrading to 1.2.1/1.3.x with a legacy-browser backport.

Release 1.3.1 improves error messaging for unsupported browsers/configs, adds Bulgarian translation, UI tweaks (bootstrap, drag & drop, shortener), JSON API for the URL shortener, raises default size limit to 10 MiB, and includes various fixes.

This release re-enables legacy browser support and fixes the low-entropy key vulnerability in PrivateBin, ensuring keys are generated with sufficient entropy; legacy support will be dropped in the next release.

This release fixes a data leak by converting configuration and paste data from INI/JSON to PHP files, protecting against misconfigured servers; includes automatic migration on next run and updated installation guidance.

This patch fixes DB model meta data loss, mobile navbar on load, adds a meta column to the paste table, and makes the Bootstrap template navbar span full width on large screens.