9 matches found
CVE-2021-41129
CVE-2021-41129 affects Pterodactyl Panel. A validation flaw in the two‑factor authentication flow (LoginCheckpointController@__invoke) allows a malicious user to alter the confirmation_token to reference a cache entry containing a user_id, potentially authenticating as an arbitrary user with two‑...
CVE-2024-34067
CVE-2024-34067 affects the Pterodactyl panel. The issue allows cross-site scripting (XSS) via importing a malicious egg or gaining access to a wings instance, potentially enabling an administrator account takeover. The vulnerability impacts Egg Docker images and Egg variables (Name, Environment v...
CVE-2021-41176
CVE-2021-41176 describes a cross-site request forgery (CSRF) vulnerability in Pterodactyl Panel where a signed-in user can be logged out if they visit a malicious site that makes a request to the Panel’s sign-out endpoint. This requires targeting a specific Panel instance and only signs the user ...
CVE-2021-41273
CVE-2021-41273 affects the Pterodactyl panel where CSRF protections on two routes were improperly configured, allowing a CSRF attack that could trigger: (1) sending a test email and (2) generating a node auto-deployment token. No data exfiltration is described; impact is unsolicited emails or tok...
CVE-2019-1020002
CVE-2019-1020002 affects the Pterodactyl Panel before 0.7.14, where a logic error causes credentials/sniffing of 2FA credentials by delaying password verification until after 2FA input. Reported as enabling an attacker to infer account existence under certain login flows (0.7.13 and earlier). The...
CVE-2026-26016
Summary: CVE-2026-26016 affects Pterodactyl Panel (Wings) prior to 1.12.1 due to missing authorization checks across multiple controllers/endpoints. An authenticated Wings node with a node secret token can access and disclose information about servers on other nodes, retrieve server installation ...
CVE-2025-68954
CVE-2025-68954 affects Pterodactyl’s SFTP subsystem where active SFTP sessions are not revoked when a user is removed or has permissions reduced. Multiple sources describe that credentials are checked at handshake, but not re-validated afterward, allowing a user who was connected to maintain acce...
CVE-2025-69198
Pterodactyl panel suffers a race condition in resource locking: before v1.12.0, concurrent requests can bypass per-server resource validation and concurrently create more databases, allocations, or backups than configured, denying resources to other users and potentially exhausting node quotas. T...
CVE-2025-69197
Pterodactyl Panel (versions