CVE-2026-26016

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance,...

CVE-2026-26016

Summary: CVE-2026-26016 affects Pterodactyl Panel (Wings) prior to 1.12.1 due to missing authorization checks across multiple controllers/endpoints. An authenticated Wings node with a node secret token can access and disclose information about servers on other nodes, retrieve server installation ...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration that allows several server functions to execute in an SFTP session after the user account has been deleted or its password changed. A user can maintain unexpected access to the server by keeping an SFTP...

CVE-2026-21696

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...

EUVD-2026-3295

Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered...

CVE-2026-21696 Endless reprocessing/reupload of activity log data due to SQLite max parameters limit not being considered

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...

CVE-2026-21696

Wings (Pterodactyl) security issue CVE-2026-21696 affects version 1.7.0 through before 1.12.0. The bug arises from not honoring SQLite’s max parameter limit (32766) when deleting activity log entries, causing a query to fail with “too many SQL variables.” As a result, processed activity entries a...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the SFTP access control process. An attacker can maintain unauthorized access to files by remaining connected to SFTP after their permissions have been revoked or after the game server has been deleted...

EUVD-2024-0814

Malicious code in bioql PyPI...

CVE-2024-27102

Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside o...

Design/Logic Flaw

Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside o...

CVE-2023-25168 Symbolic Link (Symlink) Following allowing the deletion of files and directories on the host system in wings

Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with GHSA-p8r3-83r8-jwj5 to overwrite files on the host system. In order to use this exploit, an attacker must have an...