[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2025-66292":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T08:55:34.825Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":287,"aliases":297,"duplicate_of":9,"upstream":300,"downstream":301,"duplicates":304,"related":305,"reserved_at":9,"published_at":307,"modified_at":308,"state":309,"summary":310,"references_raw":318,"kevs":350,"epss":351,"epss_history":354,"metrics":626,"affected":636},"CVE-2025-66292","DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2.",null,[11,40],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-22","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-126","Path Traversal",[],{"id":25,"name":26,"techniques":27},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":29,"name":30,"techniques":31},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":33,"name":34,"techniques":35},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":37,"name":38,"techniques":39},"CAPEC-79","Using Slashes in Alternate Encoding",[],{"_key":41,"id":41,"name":42,"description":43,"type":15,"status":44,"abstraction":17,"likelihood_of_exploit":18,"capec":45},"CWE-73","External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.","Draft",[46,230,271,273,277,279,281,283],{"id":47,"name":48,"techniques":49},"CAPEC-13","Subverting Environment Variable Values",[50,148,190],{"id":51,"name":52,"tactics":53,"countermeasures":60},"T1562.003","Impair Command History Logging",[54,57],{"id":55,"name":56},"TA0030","Defense Evasion",{"id":58,"name":59},"TA0005","Stealth",[61,66,71,75,79,83,88,92,97,102,106,110,115,119,124,128,132,136,140,144],{"id":62,"name":63,"tactic":64},"D3-CI","Configuration Inventory",{"name":65},"Model",{"id":67,"name":68,"tactic":69},"D3-FA","File Analysis",{"name":70},"Detect",{"id":72,"name":73,"tactic":74},"D3-FIM","File Integrity Monitoring",{"name":70},{"id":76,"name":77,"tactic":78},"D3-DA","Dynamic Analysis",{"name":70},{"id":80,"name":81,"tactic":82},"D3-EFA","Emulated File Analysis",{"name":70},{"id":84,"name":85,"tactic":86},"D3-FEV","File Eviction",{"name":87},"Evict",{"id":89,"name":90,"tactic":91},"D3-RKD","Registry Key Deletion",{"name":87},{"id":93,"name":94,"tactic":95},"D3-DF","Decoy File",{"name":96},"Deceive",{"id":98,"name":99,"tactic":100},"D3-DRA","Disable Remote Access",{"name":101},"Harden",{"id":103,"name":104,"tactic":105},"D3-ACH","Application Configuration Hardening",{"name":101},{"id":107,"name":108,"tactic":109},"D3-FE","File Encryption",{"name":101},{"id":111,"name":112,"tactic":113},"D3-RC","Restore Configuration",{"name":114},"Restore",{"id":116,"name":117,"tactic":118},"D3-RF","Restore File",{"name":114},{"id":120,"name":121,"tactic":122},"D3-CQ","Content Quarantine",{"name":123},"Isolate",{"id":125,"name":126,"tactic":127},"D3-CF","Content Filtering",{"name":123},{"id":129,"name":130,"tactic":131},"D3-LFP","Local File Permissions",{"name":123},{"id":133,"name":134,"tactic":135},"D3-RFAM","Remote File Access Mediation",{"name":123},{"id":137,"name":138,"tactic":139},"D3-CM","Content Modification",{"name":123},{"id":141,"name":142,"tactic":143},"D3-EAL","Executable Allowlisting",{"name":123},{"id":145,"name":146,"tactic":147},"D3-EDL","Executable Denylisting",{"name":123},{"id":149,"name":150,"tactics":151,"countermeasures":163},"T1574.006","Dynamic Linker Hijacking",[152,155,158,159,160],{"id":153,"name":154},"TA0110","Persistence",{"id":156,"name":157},"TA0111","Privilege Escalation",{"id":55,"name":56},{"id":58,"name":59},{"id":161,"name":162},"TA0104","Execution",[164,168,170,172,174,176,178,180,182,184,186,188],{"id":165,"name":166,"tactic":167},"D3-SFA","System File Analysis",{"name":70},{"id":67,"name":68,"tactic":169},{"name":70},{"id":72,"name":73,"tactic":171},{"name":70},{"id":84,"name":85,"tactic":173},{"name":87},{"id":93,"name":94,"tactic":175},{"name":96},{"id":107,"name":108,"tactic":177},{"name":101},{"id":116,"name":117,"tactic":179},{"name":114},{"id":125,"name":126,"tactic":181},{"name":123},{"id":129,"name":130,"tactic":183},{"name":123},{"id":133,"name":134,"tactic":185},{"name":123},{"id":120,"name":121,"tactic":187},{"name":123},{"id":137,"name":138,"tactic":189},{"name":123},{"id":191,"name":192,"tactics":193,"countermeasures":199},"T1574.007","Path Interception by PATH Environment Variable",[194,195,196,197,198],{"id":153,"name":154},{"id":156,"name":157},{"id":55,"name":56},{"id":58,"name":59},{"id":161,"name":162},[200,202,204,206,208,210,212,214,216,218,220,222,224,226,228],{"id":67,"name":68,"tactic":201},{"name":70},{"id":72,"name":73,"tactic":203},{"name":70},{"id":76,"name":77,"tactic":205},{"name":70},{"id":80,"name":81,"tactic":207},{"name":70},{"id":84,"name":85,"tactic":209},{"name":87},{"id":93,"name":94,"tactic":211},{"name":96},{"id":107,"name":108,"tactic":213},{"name":101},{"id":116,"name":117,"tactic":215},{"name":114},{"id":125,"name":126,"tactic":217},{"name":123},{"id":129,"name":130,"tactic":219},{"name":123},{"id":133,"name":134,"tactic":221},{"name":123},{"id":120,"name":121,"tactic":223},{"name":123},{"id":137,"name":138,"tactic":225},{"name":123},{"id":141,"name":142,"tactic":227},{"name":123},{"id":145,"name":146,"tactic":229},{"name":123},{"id":231,"name":232,"techniques":233},"CAPEC-267","Leverage Alternate Encoding",[234],{"id":235,"name":236,"tactics":237,"countermeasures":240},"T1027","Obfuscated Files or Information",[238,239],{"id":55,"name":56},{"id":58,"name":59},[241,243,245,247,249,251,253,255,257,259,261,263,265,267,269],{"id":67,"name":68,"tactic":242},{"name":70},{"id":72,"name":73,"tactic":244},{"name":70},{"id":76,"name":77,"tactic":246},{"name":70},{"id":80,"name":81,"tactic":248},{"name":70},{"id":84,"name":85,"tactic":250},{"name":87},{"id":93,"name":94,"tactic":252},{"name":96},{"id":107,"name":108,"tactic":254},{"name":101},{"id":116,"name":117,"tactic":256},{"name":114},{"id":125,"name":126,"tactic":258},{"name":123},{"id":129,"name":130,"tactic":260},{"name":123},{"id":133,"name":134,"tactic":262},{"name":123},{"id":120,"name":121,"tactic":264},{"name":123},{"id":137,"name":138,"tactic":266},{"name":123},{"id":141,"name":142,"tactic":268},{"name":123},{"id":145,"name":146,"tactic":270},{"name":123},{"id":25,"name":26,"techniques":272},[],{"id":274,"name":275,"techniques":276},"CAPEC-72","URL Encoding",[],{"id":29,"name":30,"techniques":278},[],{"id":33,"name":34,"techniques":280},[],{"id":37,"name":38,"techniques":282},[],{"id":284,"name":285,"techniques":286},"CAPEC-80","Using UTF-8 Encoding to Bypass Validation Logic",[],[288],{"_key":289,"name":290,"source":291,"url":292,"maturity":293,"reliability_score":294,"verified":295,"type":9,"platforms":296,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_DONKNAP_DPANEL","Dpanel","github","https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq","poc",0.3,false,[],[298,299],"GHSA-vh2x-fw87-4fxq","GO-2026-4318",[],[302],{"_key":303},"SUSE-SU-2026:0292-1",[],[306],{"_key":303},"2026-01-15T16:19:55.507Z","2026-01-15T16:44:51.018Z","Analyzed",{"cisa_kev":295,"cisa_ransomware":295,"cisa_vendor":9,"epss_severity":311,"epss_score":312,"severity":313,"severity_score":314,"severity_version":315,"severity_source":316,"severity_vector":317,"severity_status":309},"low",0.00072,"high",8.1,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",[319,329,336,341,345],{"url":292,"sources":320,"tags":323},[316,321,322],"nvd","osv_go",[324,325,326,327,328],"X Refsource CONFIRM","WEB","Advisory","Exploit","Vendor Advisory",{"url":330,"sources":331,"tags":332},"https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119",[316,321,322],[333,325,334,335],"X Refsource MISC","FIX","Patch",{"url":337,"sources":338,"tags":339},"https://github.com/donknap/dpanel/releases/tag/v1.9.2",[316,321,322],[333,325,340],"Release Notes",{"url":342,"sources":343,"tags":344},"https://nvd.nist.gov/vuln/detail/CVE-2025-66292",[322],[326],{"url":346,"sources":347,"tags":348},"https://github.com/donknap/dpanel",[322],[349],"PACKAGE",[],{"date":352,"score":312,"percentile":353},"2026-06-05",0.22089,[355,359,362,365,368,371,375,378,381,384,387,390,393,396,399,402,405,407,410,413,416,419,422,424,427,430,433,436,439,442,445,448,452,455,459,462,464,467,470,473,476,479,482,485,488,491,494,497,500,503,505,508,511,514,517,520,523,527,530,533,536,539,542,544,547,550,553,556,560,563,566,569,572,575,578,581,584,587,590,593,596,599,602,605,608,611,614,617,620,623],{"date":356,"score":357,"percentile":358},"2026-01-16",0.00097,0.27435,{"date":360,"score":357,"percentile":361},"2026-01-17",0.2744,{"date":363,"score":357,"percentile":364},"2026-01-18",0.27388,{"date":366,"score":357,"percentile":367},"2026-01-19",0.27347,{"date":369,"score":357,"percentile":370},"2026-01-20",0.2733,{"date":372,"score":373,"percentile":374},"2026-01-21",0.00108,0.29676,{"date":376,"score":373,"percentile":377},"2026-01-22",0.29644,{"date":379,"score":373,"percentile":380},"2026-01-23",0.29712,{"date":382,"score":373,"percentile":383},"2026-01-24",0.29715,{"date":385,"score":373,"percentile":386},"2026-01-25",0.29642,{"date":388,"score":373,"percentile":389},"2026-01-26",0.29559,{"date":391,"score":373,"percentile":392},"2026-01-27",0.29543,{"date":394,"score":373,"percentile":395},"2026-01-28",0.29525,{"date":397,"score":373,"percentile":398},"2026-01-29",0.29485,{"date":400,"score":373,"percentile":401},"2026-01-30",0.29475,{"date":403,"score":373,"percentile":404},"2026-01-31",0.29474,{"date":406,"score":373,"percentile":392},"2026-02-01",{"date":408,"score":373,"percentile":409},"2026-02-02",0.29505,{"date":411,"score":373,"percentile":412},"2026-02-03",0.29496,{"date":414,"score":373,"percentile":415},"2026-02-04",0.29411,{"date":417,"score":373,"percentile":418},"2026-02-05",0.29439,{"date":420,"score":373,"percentile":421},"2026-02-06",0.29462,{"date":423,"score":373,"percentile":404},"2026-02-07",{"date":425,"score":373,"percentile":426},"2026-02-08",0.29437,{"date":428,"score":373,"percentile":429},"2026-02-09",0.2937,{"date":431,"score":373,"percentile":432},"2026-02-10",0.29313,{"date":434,"score":373,"percentile":435},"2026-02-11",0.29287,{"date":437,"score":373,"percentile":438},"2026-02-12",0.29306,{"date":440,"score":373,"percentile":441},"2026-02-13",0.29284,{"date":443,"score":373,"percentile":444},"2026-02-14",0.2928,{"date":446,"score":373,"percentile":447},"2026-02-15",0.29229,{"date":449,"score":450,"percentile":451},"2026-02-16",0.00125,0.31801,{"date":453,"score":450,"percentile":454},"2026-02-17",0.31768,{"date":456,"score":457,"percentile":458},"2026-02-18",0.0005,0.15563,{"date":460,"score":457,"percentile":461},"2026-02-19",0.15628,{"date":463,"score":457,"percentile":461},"2026-02-20",{"date":465,"score":457,"percentile":466},"2026-02-21",0.15626,{"date":468,"score":457,"percentile":469},"2026-02-22",0.15622,{"date":471,"score":457,"percentile":472},"2026-02-23",0.15582,{"date":474,"score":457,"percentile":475},"2026-02-24",0.15538,{"date":477,"score":457,"percentile":478},"2026-02-25",0.15505,{"date":480,"score":457,"percentile":481},"2026-02-26",0.15465,{"date":483,"score":457,"percentile":484},"2026-02-27",0.15484,{"date":486,"score":457,"percentile":487},"2026-02-28",0.15482,{"date":489,"score":457,"percentile":490},"2026-03-01",0.15511,{"date":492,"score":457,"percentile":493},"2026-03-02",0.15454,{"date":495,"score":457,"percentile":496},"2026-03-03",0.15419,{"date":498,"score":457,"percentile":499},"2026-03-04",0.1537,{"date":501,"score":457,"percentile":502},"2026-03-05",0.15379,{"date":504,"score":457,"percentile":502},"2026-03-06",{"date":506,"score":457,"percentile":507},"2026-03-07",0.15382,{"date":509,"score":457,"percentile":510},"2026-03-08",0.15352,{"date":512,"score":457,"percentile":513},"2026-03-09",0.153,{"date":515,"score":457,"percentile":516},"2026-03-10",0.15293,{"date":518,"score":457,"percentile":519},"2026-03-11",0.15315,{"date":521,"score":457,"percentile":522},"2026-03-12",0.15372,{"date":524,"score":525,"percentile":526},"2026-03-13",0.00053,0.16392,{"date":528,"score":525,"percentile":529},"2026-03-14",0.16388,{"date":531,"score":525,"percentile":532},"2026-03-15",0.16326,{"date":534,"score":525,"percentile":535},"2026-03-16",0.16293,{"date":537,"score":525,"percentile":538},"2026-03-17",0.16264,{"date":540,"score":525,"percentile":541},"2026-03-18",0.16272,{"date":543,"score":525,"percentile":535},"2026-03-19",{"date":545,"score":525,"percentile":546},"2026-03-20",0.16359,{"date":548,"score":525,"percentile":549},"2026-03-21",0.16498,{"date":551,"score":525,"percentile":552},"2026-03-22",0.16494,{"date":554,"score":525,"percentile":555},"2026-03-23",0.16457,{"date":557,"score":558,"percentile":559},"2026-03-24",0.00061,0.19045,{"date":561,"score":558,"percentile":562},"2026-03-25",0.19115,{"date":564,"score":558,"percentile":565},"2026-03-26",0.19194,{"date":567,"score":558,"percentile":568},"2026-03-27",0.19214,{"date":570,"score":558,"percentile":571},"2026-03-28",0.19242,{"date":573,"score":558,"percentile":574},"2026-03-29",0.19215,{"date":576,"score":558,"percentile":577},"2026-03-30",0.19196,{"date":579,"score":558,"percentile":580},"2026-03-31",0.19193,{"date":582,"score":558,"percentile":583},"2026-04-01",0.19226,{"date":585,"score":558,"percentile":586},"2026-04-02",0.1936,{"date":588,"score":558,"percentile":589},"2026-04-03",0.19384,{"date":591,"score":558,"percentile":592},"2026-04-04",0.19411,{"date":594,"score":558,"percentile":595},"2026-04-05",0.19376,{"date":597,"score":558,"percentile":598},"2026-04-06",0.19139,{"date":600,"score":558,"percentile":601},"2026-04-07",0.19128,{"date":603,"score":558,"percentile":604},"2026-04-08",0.19207,{"date":606,"score":558,"percentile":607},"2026-04-09",0.1926,{"date":609,"score":558,"percentile":610},"2026-04-10",0.19277,{"date":612,"score":558,"percentile":613},"2026-04-11",0.19266,{"date":615,"score":558,"percentile":616},"2026-04-12",0.19219,{"date":618,"score":558,"percentile":619},"2026-04-13",0.19165,{"date":621,"score":558,"percentile":622},"2026-04-14",0.19082,{"date":624,"score":558,"percentile":625},"2026-04-15",0.1913,[627,632,634],{"source":316,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":628,"cvss_v4_0":9},{"baseScore":314,"baseSeverity":629,"vectorString":317,"impactScore":630,"exploitabilityScore":631},"HIGH",8.7,7.2,{"source":321,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":633,"cvss_v4_0":9},{"baseScore":314,"baseSeverity":629,"vectorString":317,"impactScore":630,"exploitabilityScore":631},{"source":322,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":635,"cvss_v4_0":9},{"baseScore":314,"baseSeverity":9,"vectorString":317,"impactScore":630,"exploitabilityScore":631},[637,647,652],{"ecosystem":9,"name":638,"vendor":639,"product":638,"cpe_part":640,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":641},"dpanel","donknap","a",[642],{"version":643,"is_range":644,"range_type":316,"version_start":9,"version_start_type":9,"version_end":645,"version_end_type":646,"fixed_in":9},"\u003C 1.9.2",true,"1.9.2","excluding",{"ecosystem":9,"name":638,"vendor":638,"product":638,"cpe_part":640,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":648},[649],{"version":650,"is_range":644,"range_type":651,"version_start":9,"version_start_type":9,"version_end":645,"version_end_type":646,"fixed_in":9},"lt1.9.2","cpe",{"ecosystem":653,"name":654,"vendor":655,"product":638,"cpe_part":9,"purl_type":656,"purl_namespace":655,"purl_name":638,"source":9,"versions":657},"Go","github.com/donknap/dpanel","github.com/donknap","golang",[658],{"version":659,"is_range":644,"range_type":660,"version_start":9,"version_start_type":9,"version_end":645,"version_end_type":646,"fixed_in":9},"lt1_9_2","semver"]