CVE-2025-66292

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119	Patch
https://github.com/donknap/dpanel/releases/tag/v1.9.2	Release Notes
https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dpanel:dpanel:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-01-15 17:16

Updated : 2026-03-12 18:07

NVD link : CVE-2025-66292

Mitre link : CVE-2025-66292

CVE.ORG link : CVE-2025-66292

JSON object : View

Products Affected

dpanel

dpanel

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

{"id": "CVE-2025-66292", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-01-15T17:16:04.570", "references": [{"url": "https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/donknap/dpanel/releases/tag/v1.9.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2."}, {"lang": "es", "value": "DPanel es un panel de gesti\u00f3n de servidor de c\u00f3digo abierto escrito en Go. Anterior a 1.9.2, DPanel tiene una vulnerabilidad de eliminaci\u00f3n arbitraria de archivos en la interfaz /api/common/attach/delete. Los usuarios autenticados pueden eliminar archivos arbitrarios en el servidor mediante salto de ruta. Cuando un usuario inicia sesi\u00f3n en el backend administrativo, esta interfaz puede usarse para eliminar archivos. La vulnerabilidad reside en la funci\u00f3n Delete dentro del archivo app/common/http/controller/attach.go. El par\u00e1metro de ruta enviado por el usuario se pasa directamente a storage.Local{}.GetSaveRealPath y, posteriormente, a os.Remove sin una sanitizaci\u00f3n adecuada o sin verificar caracteres de salto de ruta (../). Y la funci\u00f3n auxiliar en common/service/storage/local.go utiliza filepath.Join, que resuelve ../ pero no impone un chroot/jail. Esta vulnerabilidad est\u00e1 corregida en 1.9.2."}], "lastModified": "2026-03-12T18:07:07.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dpanel:dpanel:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "2B472AD9-9206-4EA4-A7BE-3FFA42B28FE9", "versionEndExcluding": "1.9.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}