Pterodactyl Panel - Remote Code Execution

Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. id: CVE-2025-49132 info: name: Pterodactyl Panel - Remote Code Execution...

CVE-2026-35202

Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broke...

Allocation of Resources Without Limits or Throttling

Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a race condition in the DatabaseController.php process. An attacker can exceed assigned database resource limits by sending multiple...

HTB-Pterodactyl-Writeup

HackTheBox — Pterodactyl Writeup Difficulty: Medium |...

Exploit for CVE-2025-49132

CVE-2025-49132 is a critical arbitrary code execution vulnerabil...

GO-2026-4497 Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change in github.com/pterodactyl/wings

Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change in github.com/pterodactyl/wings...

CVE-2026-26016

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance,...

CVE-2026-26016

Summary: CVE-2026-26016 affects Pterodactyl Panel (Wings) prior to 1.12.1 due to missing authorization checks across multiple controllers/endpoints. An authenticated Wings node with a node secret token can access and disclose information about servers on other nodes, retrieve server installation ...

CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance,...

Wings 安全漏洞

Wings is the server control interface for Pterodactyl Panel. Versions of Wings prior to 1.12.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization checks in multiple controllers, which could allow node token holders to access information about any serv...

Improper Authentication

pterodactyl/panel is vulnerable to Improper Authentication. The vulnerability is due to failure to properly invalidate or mark TOTP tokens as used within their validity window, which allows an attacker who intercepts a valid 2FA token to reuse it along with known credentials to bypass two-factor...

Authorization Bypass Through User-Controlled Key

Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in ServerTransferController and ServerInstallController. An attacker in possession of a secret Wings access token can access information on a...

Insufficient Session Expiration

Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Insufficient Session Expiration that allows several server functions to execute in an SFTP session after the user account has been deleted or its password changed. A user can maintain...

GHSA-HR7J-63V7-VJ7G Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change

Summary Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked. This can result in unintended and unauthorized access to server files even after administrato...

📄 Pterodactyl Panel Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in Pterodactyl Panel versions before 1.11.11. The vulnerability allows an attacker to write a malicious PHP file via the locale functionality and then execute it to gain a reverse shell...

Exploit for CVE-2025-49132

CVE-2025-49132 - Pterodactyl Panel Exploit ⚠️ Disclaimer...

Exploit for CVE-2025-49132

CVE-2025-49132: Pterodactyl Panel Unauthenticated RCE via PHP...

Exploit for CVE-2025-49132

CVE-2025-49132PoC Pterodactyl Panel 1.11.11 - Remote Code Exe...

Exploit for CVE-2025-49132

CVE-2025-49132...

Exploit for CVE-2025-49132

CVE-2025-49132 Pterodactyl Panel - Unauthenticated Remote C...