Qiulongk

**Name of the Vulnerable Software and Affected Versions** 1Panel versions 1.4.3 **Description** 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface, specifically the "POST /api/v1/files/download/bypath" endpoint, by providing a `path` variable, such as `{"path":"/etc/passwd"}`, allowing unauthorized access to the target system's files. This may cause a large amount of information leakage. **Recommendations** For version 1.4.3, update to version 1.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the `/api/v1/files/download/bypath` endpoint until the patch is applied. Avoid using the `path` variable in the affected API endpoint until the issue is resolved.