CVE-2025-66292: DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface

January 15, 2026

DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal.

References

github.com/advisories/GHSA-vh2x-fw87-4fxq
github.com/donknap/dpanel
github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119
github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq
nvd.nist.gov/vuln/detail/CVE-2025-66292

Code Behaviors & Features

Detect and mitigate CVE-2025-66292 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →