Vulnerability DatabaseCVE-2025-64714

CVE-2025-64714:
PHP vulnerability analysis and mitigation

Overview

CVE-2025-64714 is a Local File Inclusion (LFI) vulnerability discovered in PrivateBin's template-switching feature. The vulnerability affects PrivateBin versions since 1.7.7 up to version 2.0.3, where it was patched. When the templateselection feature is enabled in the configuration, the server trusts the template cookie and includes the referenced PHP file without proper validation, potentially allowing an unauthenticated attacker to read sensitive data or achieve Remote Code Execution (RCE) under specific conditions (GitHub Advisory, Miggo).

Technical details

The vulnerability exists in the template-switching feature's implementation where the TemplateSwitcher::isTemplateAvailable method blindly trusts user input from the template cookie. The vulnerability is triggered when a visitor sets a cookie template pointing to an existing PHP file without its suffix, using a path relative to the tpl folder. The CVSS score is 5.8 (Moderate) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N. The vulnerability is tracked as CWE-23 (Relative Path Traversal), CWE-73 (External Control of File Name or Path), and CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (GitHub Advisory).

Impact

The vulnerability allows an attacker to read sensitive data through local file inclusion. While PrivateBin's project files are protected by default due to PHP protection lines that prevent execution, if a configuration file lacks this protection or if an attacker can identify the relative path to a PHP script without proper privilege checking, information could be leaked or code execution might be possible. Analysis of real-world impact revealed 11 instances with the template switcher enabled, though none had unprotected configuration files (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in PrivateBin version 2.0.3. For users unable to update immediately, a workaround is available by setting templateselection = false in cfg/conf.php or removing it entirely, as its default value is false. The patch implements proper input validation and prevents directory traversal attempts (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related PHP vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-wprj-9cvc-5w37	HIGH	7.5	PHP	wwbn/avideo	No	No	Mar 29, 2026
CVE-2026-34036	MEDIUM	6.5	PHP	dolibarr/dolibarr	No	No	Mar 31, 2026
CVE-2026-33887	MEDIUM	5.4	PHP	statamic/cms	No	Yes	Mar 27, 2026
CVE-2026-27599	MEDIUM	4.7	PHP	ci4-cms-erp/ci4ms	No	Yes	Mar 30, 2026
CVE-2026-34372	MEDIUM	N/A	PHP	sulu/sulu	No	Yes	Mar 30, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-64714: PHP vulnerability analysis and mitigation