Description

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.

INFO

Published Date :

2026-01-15T16:19:55.507Z

Last Modified :

2026-01-15T16:44:51.018Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66292 vulnerability.

Vendors Products
Donknap
  • Dpanel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66292.

URL Resource
https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119 cve-icon cve-icon
https://github.com/donknap/dpanel/releases/tag/v1.9.2 cve-icon cve-icon
https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact