dpanel Information Disclosure Vulnerability via Arbitrary File Read

Vulnerability

An information disclosure vulnerability has been identified in dpanel, an open-source server management panel written in Go. This issue affects versions 1.2.0 through 1.7.2. The vulnerability allows authenticated users to read arbitrary files from the server through the /api/app/compose/get-from-uri API endpoint. The problem arises in the GetFromUri function, where the uri parameter is directly passed to os.ReadFile without adequate validation or access control. As a result, a logged-in attacker could exploit this flaw to access sensitive files on the host system.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, causing information disclosure.

Added: Aug 22, 2025, 4:21 PM

Updated: Aug 22, 2025, 6:52 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

dpanel Information Disclosure Vulnerability via Arbitrary File Read

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating