CVE-2025-66292

HIGH EPSS 44.1%
Published Jan 15, 20265mo ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
High
Find Similar
Published Jan 15, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
44.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt
CWE-73

Affected Products 1

VendorProductVersionRange
dpaneldpanel* <1.9.2

References 3

  • github.com https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119
    Patch
  • github.com https://github.com/donknap/dpanel/releases/tag/v1.9.2
    Release Notes
  • github.com https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119
    Patch