CVE-2025-53363 MEDIUM

CVE-2025-53363: Dpanel has an arbitrary file read vulnerability

Vendor Donknap
Product dpanel
Weakness CWE-73
Published August 22, 2025
Last update August 22, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P

What the vulnerability does

01Description

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.

Key dates

02Disclosure timeline

August 22, 2025 CVE published
August 22, 2025 Record updated

Related vulnerabilities

04Related CVE