146 matches found
CVE-2025-69199
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to no visible rate limits or monitoring. An attacker can exhaust system resources by opening a large number of connections and transmitting excessive data through the websockets...
CVE-2026-21696 Endless reprocessing/reupload of activity log data due to SQLite max parameters limit not being considered
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...
CVE-2026-21696
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...
CVE-2026-21696 Endless reprocessing/reupload of activity log data due to SQLite max parameters limit not being considered
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...
CVE-2026-21696 Endless reprocessing/reupload of activity log data due to SQLite max parameters limit not being considered
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...
CVE-2026-21696
Wings (Pterodactyl) security issue CVE-2026-21696 affects version 1.7.0 through before 1.12.0. The bug arises from not honoring SQLite’s max parameter limit (32766) when deleting activity log entries, causing a query to fail with “too many SQL variables.” As a result, processed activity entries a...
CVE-2025-69199 Pterodactyl Wings's websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks under certain circumstances
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these...
CVE-2025-69199 Pterodactyl Wings's websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks under certain circumstances
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these...
CVE-2025-69199 Pterodactyl Wings's websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks under certain circumstances
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these...
Wings Resource Management Error Vulnerability
Wings is the server control interface for Pterodactyl Panel. In versions 1.7.0 to 1.12.0 of Wings, there was a resource management vulnerability. This vulnerability stemmed from not considering the maximum parameter limits of SQLite, which could lead to exhaustion of the database server’s disk...
PT-2026-3490
Name of the Vulnerable Software and Affected Versions Wings versions 1.7.0 through 1.11.9 Description Wings, the server control plane for Pterodactyl, is affected by an issue where it does not account for SQLite’s maximum parameter limit when handling activity log entries. This allows a...
PT-2026-3486
Name of the Vulnerable Software and Affected Versions Wings versions prior to 1.12.0 Description Wings, the server control plane for Pterodactyl, is affected by an issue where websockets lack appropriate rate limiting and throttling. This allows a malicious user to establish numerous connections...
GO-2026-4283 Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced in github.com/pterodactyl/wings
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced in github.com/pterodactyl/wings...
CVE-2024-34068
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control GHSA-6rg3-8h8x-5xfv that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. Thi...
CVE-2023-25168
Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with GHSA-p8r3-83r8-jwj5 to overwrite files on the host system. In order to use this exploit, an attacker must have an...
CVE-2023-25152
Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their...
GHSA-8C39-XPPG-479C Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
Summary Pterodactyl does not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions...
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
Summary Pterodactyl does not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the SFTP access control process. An attacker can maintain unauthorized access to files by remaining connected to SFTP after their permissions have been revoked or after the game server has been deleted...