Platform
go
Component
github.com/donknap/dpanel
Fixed in
1.9.3
1.9.2
CVE-2025-66292 describes an arbitrary file deletion vulnerability discovered in DPanel, a Go-based control panel. This vulnerability allows an attacker to delete files on the server, potentially leading to data loss or system compromise. The vulnerability resides in the /api/common/attach/delete interface and impacts versions of DPanel prior to 1.9.2. A patch has been released to address this issue.
The arbitrary file deletion vulnerability in DPanel poses a significant risk to system integrity and data confidentiality. An attacker exploiting this flaw can delete critical system files, configuration files, or user data, effectively disrupting service or causing irreversible data loss. The blast radius extends to any files accessible by the vulnerable interface, potentially including those within the web root or other sensitive directories. Successful exploitation could also facilitate privilege escalation if the attacker can delete files required for authentication or authorization, allowing them to gain unauthorized access to the system.
As of the publication date (2026-01-23), there is no indication of active exploitation of CVE-2025-66292. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a relatively low probability of immediate exploitation. However, given the ease of exploitation and the potential impact, it is crucial to apply the patch promptly.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66292 is to upgrade DPanel to version 1.9.2 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing temporary workarounds such as restricting access to the /api/common/attach/delete endpoint using a web application firewall (WAF) or proxy server. Configure the WAF to block requests originating from untrusted sources or those lacking proper authentication. Additionally, review file permissions and ownership to minimize the potential impact of a successful attack. After upgrading, verify the fix by attempting to access the /api/common/attach/delete endpoint with invalid parameters and confirming that file deletion is prevented.
Actualice DPanel a la versión 1.9.2 o superior. Esta versión corrige la vulnerabilidad de eliminación arbitraria de archivos. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando los archivos existentes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66292 is a vulnerability in DPanel allowing attackers to delete arbitrary files. It has a CVSS score of 8.1 (HIGH) and affects versions before 1.9.2.
You are affected if you are running DPanel version 1.9.2 or earlier. Check your DPanel version and upgrade immediately if necessary.
Upgrade DPanel to version 1.9.2 or later. As a temporary workaround, restrict access to the /api/common/attach/delete endpoint using a WAF or proxy.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation warrants prompt patching.
Refer to the DPanel official website and GitHub repository for the latest security advisories and patch releases.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.