Security: pterodactyl/panel
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Improper JWT scoping allows subuser to upload files when not explicitly granted `file.create` permissionsGHSA-8r6w-3qq5-4p4r published
Jun 6, 2026 by anthonyphysgunHigh -
Improperly configured pessimestic resource lock allows malicious user to bypass assigned resource limitsGHSA-fgmm-w5cx-vrfw published
May 23, 2026 by DaneEverittLow -
Client email change endpoint allows enumeration of accounts in systemGHSA-j7f5-gfqm-pcx3 published
May 23, 2026 by DaneEverittModerate -
Cross-Node Server Configuration Disclosure via Remote API Missing AuthorizationGHSA-g7vw-f8p5-c728 published
Feb 14, 2026 by DaneEverittCritical -
SFTP sessions remain active after user account deletion or password changeGHSA-hr7j-63v7-vj7g published
Feb 14, 2026 by DaneEverittHigh -
SFTP access is not revoked when server is deleted or permissions reducedGHSA-8c39-xppg-479c published
Jan 6, 2026 by DaneEverittHigh -
Reflected XSS in “Create New Database Host”GHSA-mgr9-6c2j-jxrq published
Dec 27, 2025 by DaneEverittLow -
TOTP can be used multiple times during validity windowGHSA-rgmp-4873-r683 published
Jan 6, 2026 by DaneEverittModerate -
Unauthenticated Arbitrary Remote Code ExecutionGHSA-24wv-6c99-f843 published
Jun 19, 2025 by matthewpiCritical -
Plain-text logging of user passwords when two-factor authentication is disabledGHSA-c479-wq8g-57hr published
Oct 24, 2024 by matthewpiModerate