PrivateBin

• CHANGED: Upgrading libraries to: base-x 5.0.1, bootstrap 5.3.8, DOMpurify 3.2.7, ip-lib 1.21.0 & kjua 0.10.0
• CHANGED: Refactored jQuery DOM element creation into plain JavaScript
• FIXED: Prevent arbitrary PHP file inclusion when enabling template switching
• FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
• FIXED: Sanitize file name in attachment size...

• FIXED: Prevent arbitrary PHP file inclusion when enabling template switching (CVE-2025-64714)
• FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users (CVE-2025-64711)
• FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)

This release addresses issues with arbitrary PHP file inclusion when enabling template switching and l...

• CHANGED: Upgrading libraries to: DOMpurify 3.3.0
• CHANGED: Refactored jQuery DOM element creation into plain JavaScript
• FIXED: Sanitize file name in attachment size hint (CVE-2025-62796 / https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-867c-p784-5q6g)
• FIXED: PHP OPcache module is optional again (#1679)
• FIXED: bootstrap template password peek input group display

Th...

• ADDED: Auto shorten URLs with config option shortenbydefault (#1627)
• ADDED: Added shortenviashlink endpoint with an shlink configuration section
• ADDED: Password peek (#1254)
• CHANGED: CSP recommendation around bootstrap5 template resolved in Firefox 131 (#1613)
• CHANGED: Upgrading libraries to: bootstrap 5.3.8, DOMpurify 3.2.7 & ip-lib 1.21.0
• FIXED: Allow pasting a password fo...

This release changes configuration defaults including switching the template and removing legacy features.

The most notable change is the switch of the default template to bootstrap5. We switched to use the Jdenticons library by default for the comment creator icons, as it doesn't require the GD library. And we changed the user interface to display SI-prefixes instead of binary bytes for...