• CHANGED: Upgrading libraries to: base-x 5.0.1, bootstrap 5.3.8, DOMpurify 3.2.7, ip-lib 1.21.0 & kjua 0.10.0
• CHANGED: Refactored jQuery DOM element creation into plain JavaScript
• FIXED: Prevent arbitrary PHP file inclusion when enabling template switching
• FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
• FIXED: Sanitize file name in attachment size hint
• FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)
• FIXED: traffic limiter not working when using Filesystem storage and PHP opcache
• FIXED: Configuration combinations test errors

This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&-dropping files into PrivateBin with malicious filenames. More details on this issue can be found in the security advisories:

• Template-switching feature allowing arbitrary local file inclusion through path traversal (CVE-2025-64714)
• Malicious filename can be used for self-XSS / HTML injection locally for users (CVE-2025-64711)
• Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS, defacement, open redirect attacks etc. (CVE-2025-62796)

Note that as per our security policy, we only consider the latest release to be supported, so do consider upgrading your 1.7 install to 2.x as soon as possible. This backport was provided due to the major changes that come with the 2.x release and for use in installations that don’t yet have PHP 7.4 or later support available.