CVE-2025-30206

Name of the Vulnerable Software and Affected Versions Dpanel versions prior to 1.6.1

Description The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw enables attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. This issue can lead to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment.

Recommendations For versions prior to 1.6.1, update to version 1.6.1 to resolve the issue. As a temporary workaround, consider replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.