DPanel, an open source server management panel written in Go, contains an arbitrary file deletion vulnerability in versions prior to 1.9.2. The vulnerability exists in the /api/common/attach/delete interface where authenticated users can delete arbitrary files on the server via path traversal attacks. The issue stems from insufficient input sanitization in the Delete function within app/common/http/controller/attach.go, where user-supplied path parameters are passed directly to storage operations without proper validation of path traversal characters. The vulnerability has been patched in version 1.9.2.