FKIE_CVE-2025-66292

Vulnerability from fkie_nvd - Published: 2026-01-15 17:16 - Updated: 2026-03-12 18:07
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.
References
security-advisories@github.comhttps://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119Patch
security-advisories@github.comhttps://github.com/donknap/dpanel/releases/tag/v1.9.2Release Notes
security-advisories@github.comhttps://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxqExploit, Vendor Advisory
Impacted products
Vendor Product Version
dpanel dpanel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dpanel:dpanel:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "2B472AD9-9206-4EA4-A7BE-3FFA42B28FE9",
              "versionEndExcluding": "1.9.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2."
    },
    {
      "lang": "es",
      "value": "DPanel es un panel de gesti\u00f3n de servidor de c\u00f3digo abierto escrito en Go. Anterior a 1.9.2, DPanel tiene una vulnerabilidad de eliminaci\u00f3n arbitraria de archivos en la interfaz /api/common/attach/delete. Los usuarios autenticados pueden eliminar archivos arbitrarios en el servidor mediante salto de ruta. Cuando un usuario inicia sesi\u00f3n en el backend administrativo, esta interfaz puede usarse para eliminar archivos. La vulnerabilidad reside en la funci\u00f3n Delete dentro del archivo app/common/http/controller/attach.go. El par\u00e1metro de ruta enviado por el usuario se pasa directamente a storage.Local{}.GetSaveRealPath y, posteriormente, a os.Remove sin una sanitizaci\u00f3n adecuada o sin verificar caracteres de salto de ruta (../). Y la funci\u00f3n auxiliar en common/service/storage/local.go utiliza filepath.Join, que resuelve ../ pero no impone un chroot/jail. Esta vulnerabilidad est\u00e1 corregida en 1.9.2."
    }
  ],
  "id": "CVE-2025-66292",
  "lastModified": "2026-03-12T18:07:07.010",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-15T17:16:04.570",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/donknap/dpanel/releases/tag/v1.9.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.