Skip to content

Release history

PrivateBin releases

A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.

Back to tool Latest release

All releases

8 shown

2.0.4 Breaking risk
Breaking changes
  • Removed obsolete X-XSS-Protection header
Notable features
  • Added Swedish and Persian translations
Full changelog
  • ADDED: Translations for Swedish & Persian
  • CHANGED: Deduplicate JSON error message translations
  • CHANGED: Refactored translation of exception messages
  • CHANGED: Upgrading libraries to: DOMpurify 3.4.1, ip-lib 1.22.0, polyfill-php80 1.34.0 & zlib 1.3.2
  • CHANGED: Remove obsolete X-XSS-Protection header (#1825)
  • FIXED: Some exceptions not getting translated
  • FIXED: Attachment disappears after a "paste" in the message area (#1731)
  • FIXED: The content format is not reset when creating a new document (#1707)
View release on GitHub
1.7.9 Security relevant
Security fixes
  • CVE-2025-64714: Template-switching feature path traversal for arbitrary local file inclusion
  • CVE-2025-64711: Malicious filename enabling self-XSS and HTML injection
  • CVE-2025-62796: Missing HTML sanitisation enabling persistent XSS in attachment filenames
View release on GitHub
2.0.3 Security relevant
Security fixes
  • Arbitrary PHP file inclusion via template switching (CVE-2025-64714)
  • Malicious filename XSS/HTML injection (CVE-2025-64711)
View release on GitHub
2.0.2 Security relevant
Security fixes
  • Unsanitized filename in attachment size hint (CVE-2025-62796)
View release on GitHub
2.0.1 Mixed
Notable features
  • Auto URL shortening with configurable defaults (`shortenbydefault`) and shlink endpoint integration
  • Password peek functionality for reviewing paste contents before decryption
Full changelog
  • ADDED: Auto shorten URLs with config option shortenbydefault (#1627)
  • ADDED: Added shortenviashlink endpoint with an shlink configuration section
  • ADDED: Password peek (#1254)
  • CHANGED: CSP recommendation around bootstrap5 template resolved in Firefox 131 (#1613)
  • CHANGED: Upgrading libraries to: bootstrap 5.3.8, DOMpurify 3.2.7 & ip-lib 1.21.0
  • FIXED: Allow pasting a password for decrypting a paste (#1620)
  • FIXED: Allow copying the shortened link after using a URL shortener (#1624)
  • FIXED: URL extraction fails when frame-ancestors is set in CSP (#1644)
  • FIXED: traffic limiter not working when using Filesystem storage and PHP opcache
View release on GitHub
2.0.0 Breaking risk
Breaking changes
  • Removed page template; replace with bootstrap5 or bootstrap variant
  • Removed support for v1 and ZeroBin pastes
  • Removed model classes: privatebin_data, privatebin_db, zerobin_db; use Filesystem or Database
Notable features
  • Switched default template to bootstrap5
  • Jdenticons used by default instead of blocky identicons
  • Switched from binary bytes to SI-units for data size display
View release on GitHub
1.7.7 Mixed

Adds support for multiple file uploads and template switching via the web UI.

View release on GitHub

Beta — feedback welcome: [email protected]