Pterodactyl
Products
3- 11 CVEs
- 9 CVEs
- 1 CVE
Recent CVEs
21| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49132 | Cri | 0.62 | 10.0 | 0.13 | Jun 20, 2025 | Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute… | ||
| CVE-2024-49762 | Med | 0.23 | 4.6 | 0.00 | Oct 24, 2024 | Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers… | ||
| CVE-2026-35202 | Low | 0.08 | — | 0.00 | Jun 2, 2026 | Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the… | ||
| CVE-2026-26016 | 0.00 | — | 0.00 | Feb 19, 2026 | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a… | |||
| CVE-2026-21696 | 0.00 | — | 0.00 | Jan 19, 2026 | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to… | |||
| CVE-2025-69199 | 0.00 | — | 0.00 | Jan 19, 2026 | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request… | |||
| CVE-2025-69198 | 0.00 | — | 0.00 | Jan 19, 2026 | Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a… | |||
| CVE-2025-69197 | 0.00 | — | 0.00 | Jan 6, 2026 | Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used… | |||
| CVE-2025-68954 | 0.00 | — | 0.00 | Jan 6, 2026 | Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was… | |||
| CVE-2024-34066 | 0.00 | — | 0.01 | May 3, 2024 | Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is… | |||
| CVE-2024-34067 | 0.00 | — | 0.00 | May 3, 2024 | Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel.… | |||
| CVE-2024-34068 | 0.00 | — | 0.00 | May 3, 2024 | Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in… | |||
| CVE-2024-27102 | 0.00 | — | 0.01 | Mar 13, 2024 | Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but… | |||
| CVE-2023-32080 | 0.00 | — | 0.01 | May 10, 2023 | Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to 1.7.5 and versions 1.11.0 prior to 1.11.6 impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings… | |||
| CVE-2023-25168 | 0.00 | — | 0.01 | Feb 8, 2023 | Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an… | |||
| CVE-2023-25152 | 0.00 | — | 0.01 | Feb 8, 2023 | Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations,… | |||
| CVE-2021-41273 | 0.00 | — | 0.00 | Nov 17, 2021 | Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node… | |||
| CVE-2021-41176 | 0.00 | — | 0.01 | Oct 25, 2021 | Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This… | |||
| CVE-2021-41129 | 0.00 | — | 0.02 | Oct 6, 2021 | Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In… | |||
| CVE-2021-32699 | 0.00 | — | 0.00 | Jun 22, 2021 | Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more… |
- risk 0.62cvss 10.0epss 0.13
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute…
- risk 0.23cvss 4.6epss 0.00
Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers…
- risk 0.08cvss —epss 0.00
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the…
- CVE-2026-26016Feb 19, 2026risk 0.00cvss —epss 0.00
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a…
- CVE-2026-21696Jan 19, 2026risk 0.00cvss —epss 0.00
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to…
- CVE-2025-69199Jan 19, 2026risk 0.00cvss —epss 0.00
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request…
- CVE-2025-69198Jan 19, 2026risk 0.00cvss —epss 0.00
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a…
- CVE-2025-69197Jan 6, 2026risk 0.00cvss —epss 0.00
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used…
- CVE-2025-68954Jan 6, 2026risk 0.00cvss —epss 0.00
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was…
- CVE-2024-34066May 3, 2024risk 0.00cvss —epss 0.01
Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is…
- CVE-2024-34067May 3, 2024risk 0.00cvss —epss 0.00
Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel.…
- CVE-2024-34068May 3, 2024risk 0.00cvss —epss 0.00
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in…
- CVE-2024-27102Mar 13, 2024risk 0.00cvss —epss 0.01
Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but…
- CVE-2023-32080May 10, 2023risk 0.00cvss —epss 0.01
Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to 1.7.5 and versions 1.11.0 prior to 1.11.6 impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings…
- CVE-2023-25168Feb 8, 2023risk 0.00cvss —epss 0.01
Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an…
- CVE-2023-25152Feb 8, 2023risk 0.00cvss —epss 0.01
Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations,…
- CVE-2021-41273Nov 17, 2021risk 0.00cvss —epss 0.00
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node…
- CVE-2021-41176Oct 25, 2021risk 0.00cvss —epss 0.01
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This…
- CVE-2021-41129Oct 6, 2021risk 0.00cvss —epss 0.02
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In…
- CVE-2021-32699Jun 22, 2021risk 0.00cvss —epss 0.00
Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more…