Skip to content

PrivateBin

Developer Productivity

A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.

Track releases GitHub Website
PHP Latest 2.0.4 · 1mo ago Security brief →

Features

  • Zero‑knowledge pastebin – server stores only encrypted data
  • Client‑side AES‑256‑GCM encryption with optional password protection
  • Configurable expiration, discussions, Markdown and syntax highlighting

Recent releases

View all 8 releases →
2.0.4 Breaking risk
Breaking changes
  • Removed obsolete X-XSS-Protection header
Notable features
  • Added Swedish and Persian translations
Full changelog
  • ADDED: Translations for Swedish & Persian
  • CHANGED: Deduplicate JSON error message translations
  • CHANGED: Refactored translation of exception messages
  • CHANGED: Upgrading libraries to: DOMpurify 3.4.1, ip-lib 1.22.0, polyfill-php80 1.34.0 & zlib 1.3.2
  • CHANGED: Remove obsolete X-XSS-Protection header (#1825)
  • FIXED: Some exceptions not getting translated
  • FIXED: Attachment disappears after a "paste" in the message area (#1731)
  • FIXED: The content format is not reset when creating a new document (#1707)
View release on GitHub
1.7.9 Security relevant
Security fixes
  • CVE-2025-64714: Template-switching feature path traversal for arbitrary local file inclusion
  • CVE-2025-64711: Malicious filename enabling self-XSS and HTML injection
  • CVE-2025-62796: Missing HTML sanitisation enabling persistent XSS in attachment filenames
View release on GitHub
2.0.3 Security relevant
Security fixes
  • Arbitrary PHP file inclusion via template switching (CVE-2025-64714)
  • Malicious filename XSS/HTML injection (CVE-2025-64711)
View release on GitHub
2.0.2 Security relevant
Security fixes
  • Unsanitized filename in attachment size hint (CVE-2025-62796)
View release on GitHub
2.0.1 Mixed
Notable features
  • Auto URL shortening with configurable defaults (`shortenbydefault`) and shlink endpoint integration
  • Password peek functionality for reviewing paste contents before decryption
Full changelog
  • ADDED: Auto shorten URLs with config option shortenbydefault (#1627)
  • ADDED: Added shortenviashlink endpoint with an shlink configuration section
  • ADDED: Password peek (#1254)
  • CHANGED: CSP recommendation around bootstrap5 template resolved in Firefox 131 (#1613)
  • CHANGED: Upgrading libraries to: bootstrap 5.3.8, DOMpurify 3.2.7 & ip-lib 1.21.0
  • FIXED: Allow pasting a password for decrypting a paste (#1620)
  • FIXED: Allow copying the shortened link after using a URL shortener (#1624)
  • FIXED: URL extraction fails when frame-ancestors is set in CSP (#1644)
  • FIXED: traffic limiter not working when using Filesystem storage and PHP opcache
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
8,339
Forks
994
Languages
PHP JavaScript CSS
View on GitHub Homepage Documentation

Similar tools

pastefy
microbin
wastebin
paaster
BinPastes

Beta — feedback welcome: [email protected]