VYPR

Panel

by Pterodactyl

Source repositories

CVEs (11)

  • CVE-2025-49132CriJun 20, 2025
    risk 0.62cvss 10.0epss 0.13

    Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute…

  • CVE-2024-49762MedOct 24, 2024
    risk 0.23cvss 4.6epss 0.00

    Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers…

  • CVE-2026-35202LowJun 2, 2026
    risk 0.08cvss epss 0.00

    Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the…

  • CVE-2026-26016Feb 19, 2026
    risk 0.00cvss epss 0.00

    Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a…

  • CVE-2025-69198Jan 19, 2026
    risk 0.00cvss epss 0.00

    Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a…

  • CVE-2025-69197Jan 6, 2026
    risk 0.00cvss epss 0.00

    Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used…

  • CVE-2025-68954Jan 6, 2026
    risk 0.00cvss epss 0.00

    Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was…

  • CVE-2024-34067May 3, 2024
    risk 0.00cvss epss 0.00

    Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel.…

  • CVE-2021-41273Nov 17, 2021
    risk 0.00cvss epss 0.00

    Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node…

  • CVE-2021-41176Oct 25, 2021
    risk 0.00cvss epss 0.01

    Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This…

  • CVE-2021-41129Oct 6, 2021
    risk 0.00cvss epss 0.02

    Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In…