| CVE-2026-35202 |
low |
— |
2.5 |
1d ago |
Pterodactyl has a database resource limit bypass via race condition in Client API |
|
| CVE-2026-26016 |
unknown |
— |
— |
3mo ago |
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization |
|
| CVE-2025-69198 |
unknown |
— |
— |
4mo ago |
Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted |
|
| CVE-2025-69197 |
unknown |
— |
— |
5mo ago |
Pterodactyl TOTPs can be reused during validity window |
|
| CVE-2025-68954 |
unknown |
— |
— |
5mo ago |
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced |
|
| CVE-2025-49132 |
unknown |
— |
— |
11mo ago |
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution |
|
| CVE-2024-49762 |
unknown |
— |
— |
2y ago |
Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled |
|
| CVE-2024-34067 |
unknown |
— |
— |
2y ago |
Pterodactyl panel's admin area vulnerable to Cross-site Scripting |
|
| CVE-2019-1020002 |
unknown |
— |
— |
4y ago |
Pterodactyl vulnerable to 2FA Sniffing |
|
| CVE-2021-41273 |
unknown |
— |
— |
5y ago |
Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys |
|
| CVE-2021-41176 |
unknown |
— |
— |
5y ago |
pterodactyl/panel CSRF allowing an external page to trigger a user logout event |
|
| CVE-2021-41129 |
unknown |
— |
— |
5y ago |
Pterodactyl Panel vulnerable to authentication bypass due to improper user-provided security token verification |
|