GO-2026-4497 Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change in github.com/pterodactyl/wings

Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change in github.com/pterodactyl/wings...

CVE-2026-26016

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance,...

CVE-2026-26016

Summary: CVE-2026-26016 affects Pterodactyl Panel (Wings) prior to 1.12.1 due to missing authorization checks across multiple controllers/endpoints. An authenticated Wings node with a node secret token can access and disclose information about servers on other nodes, retrieve server installation ...

CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance,...

Wings 安全漏洞

Wings is the server control interface for Pterodactyl Panel. Versions of Wings prior to 1.12.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization checks in multiple controllers, which could allow node token holders to access information about any serv...

Authorization Bypass Through User-Controlled Key

Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in ServerTransferController and ServerInstallController. An attacker in possession of a secret Wings access token can access information on a...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration that allows several server functions to execute in an SFTP session after the user account has been deleted or its password changed. A user can maintain unexpected access to the server by keeping an SFTP...

PT-2026-20331

Name of the Vulnerable Software and Affected Versions Pterodactyl Panel versions prior to 1.12.1 Description A missing authorization check allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a...

SUSE CVE-2025-69199

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these...

SUSE CVE-2026-21696

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...

GO-2026-4329 Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered in github.com/pterodactyl/wings

Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered in github.com/pterodactyl/wings...

GO-2026-4331 Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings

Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings...

PT-2026-6505

Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered in github.com/pterodactyl/wings...

CVE-2026-21696

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...

Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered

Summary Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records Details After wings sends activity logs to the panel it deletes the processed activity entries from t...

EUVD-2026-3295

Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered...

GHSA-2497-GP99-2M74 Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered

Summary Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records Details After wings sends activity logs to the panel it deletes the processed activity entries from t...

EUVD-2025-206299

Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks...

GHSA-8W7M-W749-RX98 Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks

Summary Websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu...

CVE-2025-69199

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these...