CVE-2025-66292

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66292

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66292.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66292

Aliases

Published

2026-01-15T16:19:55.507Z

Modified

2026-03-14T15:05:02.869883Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface

Details

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66292.json",
    "cwe_ids": [
        "CWE-22",
        "CWE-73"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/donknap/dpanel

Affected ranges

Type: GIT
Repo: https://github.com/donknap/dpanel
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cc6998b714bfb9a854bf1b314f368b49462997d7

Affected versions

Other

docker-cli-v1

toolchains-v1

v1.*

v1.0.0

v1.0.2

v1.0.2.1

v1.0.2.4

v1.0.3

v1.0.4

v1.0.4.1

v1.0.4.2

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.6.3

v1.6.3.1

v1.6.3.2

v1.6.4

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.3.1

v1.7.3.2

v1.8.0

v1.8.1

v1.8.1.1

v1.8.1.2

v1.9.0

v1.9.1

v1.9.1.1

v1.9.1.2

v1.9.1.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66292.json"