CVE-2025-53363

Name of the Vulnerable Software and Affected Versions: dpanel versions 1.2.0 through 1.7.2

Description: dpanel is a server management panel written in Go. Versions of the software allow authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The issue resides in the GetFromUri function within app/application/http/controller/compose.go, where the uri parameter is directly passed to os.ReadFile without sufficient validation or access control. This can lead to information disclosure as a logged-in attacker can read sensitive files from the host system.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.