Medium severityOSV Advisory· Published Aug 22, 2025· Updated Apr 29, 2026

CVE-2025-53363

Description

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/donknap/dpanelGo	>= 1.2.0, <= 1.7.2	—

Affected products

Donknap/DpanelOSV

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-gcqf-pxgg-gw8qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-53363ghsaADVISORY
github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8qnvdWEB
pkg.go.dev/vuln/GO-2025-3909ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000