CVE-2025-66292: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in donknap dpanel
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.
AI Analysis
Technical Summary
CVE-2025-66292 is a path traversal vulnerability classified under CWE-22 and CWE-73, found in donknap's DPanel server management software prior to version 1.9.2. The vulnerability exists in the /api/common/attach/delete API endpoint, where authenticated users can submit a path parameter that is insufficiently sanitized. Specifically, the Delete function in app/common/http/controller/attach.go passes this parameter directly to storage.Local{}.GetSaveRealPath and then to os.Remove for file deletion. Although filepath.Join is used internally to resolve relative paths, it does not enforce a chroot or jail environment, allowing traversal sequences like '../' to escape the intended directory boundaries. This flaw enables attackers with legitimate backend access to delete arbitrary files on the server, potentially including critical system files or application data, leading to denial of service or data integrity compromise. The vulnerability requires authentication but no user interaction beyond API calls. The CVSS v3.1 score is 8.1 (high), reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impacts. The issue was publicly disclosed in January 2026 and fixed in DPanel version 1.9.2. No known exploits have been reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a significant risk to server stability and data integrity, especially for those relying on DPanel for server management. Successful exploitation can lead to arbitrary deletion of files, potentially causing service outages, loss of critical configuration or operational data, and increased recovery costs. Organizations in sectors with high regulatory requirements for data integrity and availability, such as finance, healthcare, and critical infrastructure, could face compliance violations and reputational damage if exploited. Since the vulnerability requires authenticated access to the administrative backend, the risk is elevated if credential management is weak or if insider threats exist. The ability to delete arbitrary files can also facilitate further attacks by removing logs or security controls. Given the open-source nature of DPanel, organizations using customized or older versions may be unaware of the vulnerability, increasing exposure.
Mitigation Recommendations
European organizations should immediately upgrade DPanel installations to version 1.9.2 or later, where the vulnerability is patched. Until patching is possible, restrict administrative backend access strictly via network segmentation, VPNs, or IP whitelisting to limit exposure. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Conduct thorough audits of user permissions to ensure only trusted personnel have access to the vulnerable API endpoint. Monitor server logs for unusual file deletion activities and implement file integrity monitoring to detect unauthorized changes. Consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in API requests. Finally, educate administrators on the risks of path traversal and the importance of timely patching and secure configuration.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-66292: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in donknap dpanel
Description
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-66292 is a path traversal vulnerability classified under CWE-22 and CWE-73, found in donknap's DPanel server management software prior to version 1.9.2. The vulnerability exists in the /api/common/attach/delete API endpoint, where authenticated users can submit a path parameter that is insufficiently sanitized. Specifically, the Delete function in app/common/http/controller/attach.go passes this parameter directly to storage.Local{}.GetSaveRealPath and then to os.Remove for file deletion. Although filepath.Join is used internally to resolve relative paths, it does not enforce a chroot or jail environment, allowing traversal sequences like '../' to escape the intended directory boundaries. This flaw enables attackers with legitimate backend access to delete arbitrary files on the server, potentially including critical system files or application data, leading to denial of service or data integrity compromise. The vulnerability requires authentication but no user interaction beyond API calls. The CVSS v3.1 score is 8.1 (high), reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impacts. The issue was publicly disclosed in January 2026 and fixed in DPanel version 1.9.2. No known exploits have been reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a significant risk to server stability and data integrity, especially for those relying on DPanel for server management. Successful exploitation can lead to arbitrary deletion of files, potentially causing service outages, loss of critical configuration or operational data, and increased recovery costs. Organizations in sectors with high regulatory requirements for data integrity and availability, such as finance, healthcare, and critical infrastructure, could face compliance violations and reputational damage if exploited. Since the vulnerability requires authenticated access to the administrative backend, the risk is elevated if credential management is weak or if insider threats exist. The ability to delete arbitrary files can also facilitate further attacks by removing logs or security controls. Given the open-source nature of DPanel, organizations using customized or older versions may be unaware of the vulnerability, increasing exposure.
Mitigation Recommendations
European organizations should immediately upgrade DPanel installations to version 1.9.2 or later, where the vulnerability is patched. Until patching is possible, restrict administrative backend access strictly via network segmentation, VPNs, or IP whitelisting to limit exposure. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Conduct thorough audits of user permissions to ensure only trusted personnel have access to the vulnerable API endpoint. Monitor server logs for unusual file deletion activities and implement file integrity monitoring to detect unauthorized changes. Consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in API requests. Finally, educate administrators on the risks of path traversal and the importance of timely patching and secure configuration.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-11-26T23:11:46.392Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696916c94c611209ad420d99
Added to database: 1/15/2026, 4:33:13 PM
Last enriched: 1/15/2026, 4:39:15 PM
Last updated: 1/15/2026, 7:33:37 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-22803: CWE-789: Memory Allocation with Excessive Size Value in sveltejs kit
HighCVE-2026-0227: CWE-754 Improper Check for Unusual or Exceptional Conditions in Palo Alto Networks Cloud NGFW
MediumCVE-2026-22774: CWE-405: Asymmetric Resource Consumption (Amplification) in sveltejs devalue
HighCVE-2026-22775: CWE-405: Asymmetric Resource Consumption (Amplification) in sveltejs devalue
HighCVE-2025-70303: n/a
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.