GHSA-VH2X-FW87-4FXQ

Vulnerability from github – Published: 2026-01-15 17:58 – Updated: 2026-01-15 20:17
VLAI?
Summary
DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface
Details

Summary

DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal.

Details

When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file.

The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../).

The vulnerable code snippet: image

And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail: image

PoC

  1. Log in to the DPanel dashboard to obtain the Authorization token.
  2. Send a POST request to delete a file (e.g., /tmp/1.txt inside the container).

Request:

POST /dpanel/api/common/attach/delete HTTP/1.1
Host: target-ip:8807
Authorization: Bearer <YOUR_TOKEN>
Content-Type: application/x-www-form-urlencoded

path=../../../../../../../../tmp/1.txt

image image image image image

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/donknap/dpanel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-15T17:58:42Z",
    "nvd_published_at": "2026-01-15T17:16:04Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nDPanel has an arbitrary file deletion vulnerability in the `/api/common/attach/delete` interface. Authenticated users can delete arbitrary files on the server via path traversal.\n\n### Details\nWhen a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the `Delete` function within the `app/common/http/controller/attach.go` file.\n\nThe `path` parameter submitted by the user is directly passed to `storage.Local{}.GetSaveRealPath` and subsequently to `os.Remove` without proper sanitization or checking for path traversal characters (`../`).\n\nThe vulnerable code snippet:\n\u003cimg width=\"487\" height=\"363\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b811de6f-1df1-49f3-af78-ea77bc420804\" /\u003e\n\n\nAnd the helper function in `common/service/storage/local.go` uses `filepath.Join`, which resolves `../` but does not enforce a chroot/jail:\n\u003cimg width=\"564\" height=\"66\" alt=\"image\" src=\"https://github.com/user-attachments/assets/84d5a4f7-9054-4e1d-aa6b-6b50c80ba277\" /\u003e\n\n### PoC\n1. Log in to the DPanel dashboard to obtain the `Authorization` token.\n2. Send a POST request to delete a file (e.g., `/tmp/1.txt` inside the container).\n\n**Request:**\n```http\nPOST /dpanel/api/common/attach/delete HTTP/1.1\nHost: target-ip:8807\nAuthorization: Bearer \u003cYOUR_TOKEN\u003e\nContent-Type: application/x-www-form-urlencoded\n\npath=../../../../../../../../tmp/1.txt\n```\n\n\u003cimg width=\"1600\" height=\"940\" alt=\"image\" src=\"https://github.com/user-attachments/assets/40e4d3cb-57f7-4a4e-adcc-a9503af762be\" /\u003e\n\u003cimg width=\"346\" height=\"191\" alt=\"image\" src=\"https://github.com/user-attachments/assets/756c0891-e61b-434c-9386-6e701bbb1a97\" /\u003e\n\u003cimg width=\"1310\" height=\"885\" alt=\"image\" src=\"https://github.com/user-attachments/assets/31c883c2-725e-4618-977c-35fe19adafb1\" /\u003e\n\u003cimg width=\"1009\" height=\"209\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2641fdfb-6d73-4940-bd92-44d748e0e6b7\" /\u003e\n\u003cimg width=\"1265\" height=\"876\" alt=\"image\" src=\"https://github.com/user-attachments/assets/14c67ec8-ec37-4820-90be-a24f58819020\" /\u003e",
  "id": "GHSA-vh2x-fw87-4fxq",
  "modified": "2026-01-15T20:17:37Z",
  "published": "2026-01-15T17:58:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66292"
    },
    {
      "type": "WEB",
      "url": "https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/donknap/dpanel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/donknap/dpanel/releases/tag/v1.9.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.