{"id":"CVE-2025-53363","summary":"Dpanel has an arbitrary file read vulnerability","details":"dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.","aliases":["GHSA-gcqf-pxgg-gw8q","GO-2025-3909"],"modified":"2026-04-10T05:30:48.876336Z","published":"2025-08-22T15:18:01.533Z","database_specific":{"cwe_ids":["CWE-22","CWE-73"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53363.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53363.json"},{"type":"ADVISORY","url":"https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53363"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/donknap/dpanel","events":[{"introduced":"fad77f5962f2bf54a38afb71ca9dbdc6c3c63049"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53363.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P"}]}