Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-49132Code Injection in Panel

CWE-94Code Injection7 documents7 sources
Severity
10.0CRITICALNVD
EPSS
15.7%
top 5.28%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Pterodactyl Panel
Timeline
PublishedJun 20
Latest updateJun 26

Description

Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issu

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

CVEListV5pterodactyl/panel< 1.11.11
Packagistpterodactyl/panel< 1.11.11

🔴Vulnerability Details

3
GHSA
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution2025-06-19
OSV
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution2025-06-19
VulnCheck
pterodactyl panel Improper Control of Generation of Code ('Code Injection')2025

💥Exploits & PoCs

2
Exploit-DB
Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)2025-06-26
Nuclei
Pterodactyl Panel - Remote Code Execution

🕵️Threat Intelligence

1
Greynoiseio
NoiseLetter July 2025