CVE-2025-53363
- Source
- https://cve.org/CVERecord?id=CVE-2025-53363
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53363.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-53363
- Aliases
- Published
- 2025-08-22T15:18:01.533Z
- Modified
- 2026-04-10T05:30:48.876336Z
- Severity
-
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Dpanel has an arbitrary file read vulnerability
- Details
-
dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.
- Database specific
{ "cwe_ids": [ "CWE-22", "CWE-73" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53363.json", "cna_assigner": "GitHub_M" }- References