CVE-2025-66292
Published: 15 January 2026
Summary
CVE-2025-66292 is a high-severity Path Traversal (CWE-22) vulnerability in Dpanel Dpanel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates user-supplied path parameters in the delete endpoint to block path traversal sequences like ../, preventing arbitrary file deletion.
Requires timely remediation of the specific flaw via patching to DPanel 1.9.2 or later, which sanitizes paths and enforces directory restrictions.
Enforces access control policies on file system operations to restrict authenticated users from deleting files outside the intended attachment directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file deletion via path traversal directly enables T1070.004 (File Deletion) for indicator removal and T1485 (Data Destruction) for service/data impact.
NVD Description
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user…
more
logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.
Deeper analysisAI
DPanel, an open-source server management panel written in Go, contains an arbitrary file deletion vulnerability (CVE-2025-66292) affecting versions prior to 1.9.2. The issue resides in the /api/common/attach/delete interface, specifically the Delete function in app/common/http/controller/attach.go. User-supplied path parameters are passed unsanitized to storage.Local{}.GetSaveRealPath and then to os.Remove, allowing path traversal via sequences like ../. The helper function in common/service/storage/local.go employs filepath.Join, which resolves but does not block traversal due to the absence of chroot or jail enforcement. This flaw is rated 8.1 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path).
Authenticated users with access to the administrative backend can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting crafted path parameters to the delete endpoint, attackers can traverse directories and delete arbitrary files on the server, potentially disrupting services, destroying data, or enabling further compromise through targeted deletions like configuration files or binaries.
The vulnerability is addressed in DPanel version 1.9.2, as detailed in the project's security advisory (GHSA-vh2x-fw87-4fxq), release notes, and fixing commit (cbda0d90204e8212f2010774345c952e42069119). Security practitioners should upgrade to 1.9.2 or later and review access controls for the administrative backend to mitigate exposure.
Details
- CWE(s)