10 matches found
CVE-2024-34068
CVE-2024-34068 affects Pterodactyl Wings. An authenticated user with access to a game server could bypass access controls in the pull endpoint of Wings, potentially accessing resources on local networks. The issue is addressed in version 1.11.2 ; upgrade is advised. As a workaround, users can ena...
CVE-2021-32699
Wings (Pterodactyl Wings) pre-1.4.4 is affected by a resource-exhaustion vulnerability caused by improper container process limits. A malicious user can exhaust host resources, impacting other clients and potentially taking the physical server offline. Mitigation per multiple sources: upgrade to ...
CVE-2023-25152
Wings (Pterodactyl) contains a privilege/escalation vector in its server control plane: affected Wings Daemon versions allow an attacker with an existing allocated server to create new files/directories on the host, potentially changing resource allocations, promoting containers to privileged mod...
CVE-2023-25168
CVE-2023-25168 affects Pterodactyl Wings (server control plane). Description: UNIX Symbolic Link (Symlink) Following enables deletion of files/directories on the host when a server is allocated; may be used with GHSA-p8r3-83r8-jwj5 to overwrite host files. Root cause: symbolic link handling in Wi...
CVE-2024-27102
CVE-2024-27102 affects Wings (github.com/pterodactyl/wings). It is an improper isolation of server file access vulnerability that enables reading files outside the server’s base directory when an attacker has an existing server controlled by Wings. The public documentation confirms the impact and...
CVE-2023-32080
Summary: CVE-2023-32080 affects Wings (Pterodactyl Panel) prior to v1.7.5 and v1.11.0 prior to v1.11.6. Affected code paths allow an attacker to escalate by injecting commands via the server install script (or user data/environment variables) to gain access to the host running Wings. The issue is...
CVE-2024-34066
The CVE-2024-34066 issue affects Pterodactyl Wings (github.com/pterodactyl/wings). If the Wings token is leaked (for example via node configuration exposure or accidental posting), an attacker can gain arbitrary file write and read access on the associated node. Root cause: leaked token enabling ...
CVE-2025-68954
CVE-2025-68954 affects Pterodactyl’s SFTP subsystem where active SFTP sessions are not revoked when a user is removed or has permissions reduced. Multiple sources describe that credentials are checked at handshake, but not re-validated afterward, allowing a user who was connected to maintain acce...
CVE-2026-21696
Wings (Pterodactyl) security issue CVE-2026-21696 affects version 1.7.0 through before 1.12.0. The bug arises from not honoring SQLite’s max parameter limit (32766) when deleting activity log entries, causing a query to fail with “too many SQL variables.” As a result, processed activity entries a...
CVE-2025-69199
CVE-2025-69199 affects the Wings websocket endpoints in Pterodactyl. Prior to version 1.12.0, websockets lacked rate limiting and message-size controls, enabling a attacker to open many connections and flood data, risking network saturation and elevated CPU/memory load. Remedies: upgrade to Wings...