QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-53363

Back to search

CVE-2025-53363

Published: Aug 22, 2025

Modified: Aug 22, 2025

PUBLISHED

Description

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.

VendorProductVersions

donknap

dpanel

affected
>= 1.2.0, <= 1.7.2

Weaknesses (CWE)

CWE-73
CWE-22

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now