CVE-2025-53363

MEDIUM

dpanel <1.7.2 - Info Disclosure

Title source: llm

Description

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.

References (1)

[Vendor Advisory] https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q

Scores

CVSS v4 4.8

EPSS 0.0009

EPSS Percentile 25.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-73

Status published

Products (2)

donknap/dpanel 1.2.0Go

donknap/dpanel >= 1.2.0, <= 1.7.2

Published Aug 22, 2025

Tracked Since Feb 18, 2026