x/vulndb: potential Go vuln in github.com/donknap/dpanel: GHSA-vh2x-fw87-4fxq #4318
Description
Advisory GHSA-vh2x-fw87-4fxq references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/donknap/dpanel |
Description:
Summary
DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal.
Details
When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file.
The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal charact...
References:
- ADVISORY: GHSA-vh2x-fw87-4fxq
- ADVISORY: GHSA-vh2x-fw87-4fxq
- FIX: donknap/dpanel@cbda0d9
Cross references:
- github.com/donknap/dpanel appears in 2 other report(s):
- data/reports/GO-2025-3612.yaml (x/vulndb: potential Go vuln in github.com/donknap/dpanel: GHSA-j752-cjcj-w847 #3612)
- data/reports/GO-2025-3909.yaml (x/vulndb: potential Go vuln in github.com/donknap/dpanel: GHSA-gcqf-pxgg-gw8q #3909)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/donknap/dpanel
versions:
- fixed: 1.9.2
vulnerable_at: 1.9.1
summary: |-
DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete
interface in github.com/donknap/dpanel
cves:
- CVE-2025-66292
ghsas:
- GHSA-vh2x-fw87-4fxq
references:
- advisory: https://github.com/advisories/GHSA-vh2x-fw87-4fxq
- advisory: https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq
- fix: https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119
source:
id: GHSA-vh2x-fw87-4fxq
created: 2026-01-15T18:01:30.833218135Z
review_status: UNREVIEWED