pterodactyl/panel Security Advisories for v1.11.9 (8)
-
[LOW] Pterodactyl has a database resource limit bypass via race condition in Client API
PKSA-d16c-6bkx-pfvs CVE-2026-35202 GHSA-fgmm-w5cx-vrfw
Affected version: <1.12.3
Reported by:
GitHub -
[CRITICAL] Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
PKSA-773t-3wms-bb2z CVE-2026-26016 GHSA-g7vw-f8p5-c728
Affected version: <1.12.1
Reported by:
GitHub -
[HIGH] Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change
PKSA-khps-r6nm-3z7r GHSA-hr7j-63v7-vj7g
Affected version: <1.12.1
Reported by:
GitHub -
[MEDIUM] Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted
PKSA-hm8z-9vp5-kfyz CVE-2025-69198 GHSA-jw2v-cq5x-q68g
Affected version: <1.12.0
Reported by:
GitHub -
[MEDIUM] Pterodactyl TOTPs can be reused during validity window
PKSA-nk76-8zr3-7ywp CVE-2025-69197 GHSA-rgmp-4873-r683
Affected version: <1.12.0
Reported by:
GitHub -
[HIGH] Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
PKSA-zfwd-jx3t-62gc CVE-2025-68954 GHSA-8c39-xppg-479c
Affected version: <1.12.0
Reported by:
GitHub -
[LOW] Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”
PKSA-5dmg-k8vm-rbb6 GHSA-mgr9-6c2j-jxrq
Affected version: <1.12.0
Reported by:
GitHub -
[CRITICAL] Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
PKSA-7fcd-gcsm-y5fk CVE-2025-49132 GHSA-24wv-6c99-f843
Affected version: <=1.11.10
Reported by:
GitHub