Vulnerability Description
dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-53363?
CVE-2025-53363 is a documented vulnerability. dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-...
How severe is CVE-2025-53363?
CVSS scoring is not yet available for CVE-2025-53363. Check NVD for updates.
Is there a patch for CVE-2025-53363?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.