CVE-2025-66292

Name of the Vulnerable Software and Affected Versions DPanel versions prior to 1.9.2

Description DPanel has an arbitrary file deletion issue in the /api/common/attach/delete API endpoint. Authenticated users can delete arbitrary files on the server through path traversal. The issue resides in the Delete function within the app/common/http/controller/attach.go file. The path parameter, submitted by the user, is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (e.g., ../). The helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot or jail. A proof-of-concept demonstrates the ability to delete files by sending a POST request to the /dpanel/api/common/attach/delete endpoint with a crafted path parameter. The Authorization token is required for authentication. The vulnerable parameter is path.

Recommendations Versions prior to 1.9.2 should be updated to version 1.9.2 or later.