Security: pterodactyl/panel
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Cross-Node Server Configuration Disclosure via Remote API Missing AuthorizationGHSA-g7vw-f8p5-c728 published
Feb 14, 2026 by DaneEverittCritical -
SFTP sessions remain active after user account deletion or password changeGHSA-hr7j-63v7-vj7g published
Feb 14, 2026 by DaneEverittHigh -
SFTP access is not revoked when server is deleted or permissions reducedGHSA-8c39-xppg-479c published
Jan 6, 2026 by DaneEverittHigh -
Reflected XSS in “Create New Database Host”GHSA-mgr9-6c2j-jxrq published
Dec 27, 2025 by DaneEverittLow -
TOTP can be used multiple times during validity windowGHSA-rgmp-4873-r683 published
Jan 6, 2026 by DaneEverittModerate -
Unauthenticated Arbitrary Remote Code ExecutionGHSA-24wv-6c99-f843 published
Jun 19, 2025 by matthewpiCritical -
Plain-text logging of user passwords when two-factor authentication is disabledGHSA-c479-wq8g-57hr published
Oct 24, 2024 by matthewpiModerate -
Improper resource locking allows raced queries to create more resources than allotedGHSA-jw2v-cq5x-q68g published
Jan 19, 2026 by anthonyphysgunModerate -
Websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks under certain circumstancesGHSA-8w7m-w749-rx98 published
Jan 19, 2026 by anthonyphysgunHigh -
Multiple XSS vulnerabilities in the admin areaGHSA-384w-wffr-x63q published
May 3, 2024 by matthewpiModerate