Arbitrary File Deletion Vulnerability in DPanel by Donknap
CVE-2025-66292

8.1HIGH

Key Information:

Vendor

Donknap

Status
Dpanel
Vendor
CVE Published:
15 January 2026

What is CVE-2025-66292?

DPanel, an open-source server management panel developed in Go, contains a vulnerability that allows authenticated users to delete arbitrary files from the server through unsanitized path traversal in the /api/common/attach/delete interface. This issue originates from the Delete function, where user-supplied path parameters are inadequately handled. The affected code does not enforce proper checks during file deletion, leading to potential exploitation. This security flaw has been resolved in version 1.9.2, making it imperative for users to upgrade and safeguard their systems against unauthorized file deletion.

Affected Version(s)

dpanel < 1.9.2

References

https://github.com/donknap/dpanel/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/donknap/dpanel/commit/cbda0d90204e8212...
x_refsource_MISC
https://github.com/donknap/dpanel/releases/tag/v1.9.2
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.