Pterodactyl Wings vulnerabilities

10 known vulnerabilities affecting pterodactyl/wings.

Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH8MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-21696HIGHCVSS 8.3≥ 1.7.0, < 1.12.0v>= 1.7.0, < 1.12.02026-01-19
CVE-2026-21696 [HIGH] CWE-400 CVE-2026-21696: Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wi
nvd
CVE-2025-69199HIGHCVSS 8.3fixed in 1.12.02026-01-19
CVE-2025-69199 [HIGH] CWE-400 CVE-2025-69199: Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the net
nvd
CVE-2025-68954HIGHCVSS 7.5fixed in 1.12.02026-01-06
CVE-2025-68954 [HIGH] CWE-613 CVE-2025-68954: Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not r Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after the
nvd
CVE-2024-34066HIGHCVSS 8.4fixed in 1.11.2fixed in 1.11.122024-05-03
CVE-2024-34066 [HIGH] CWE-552 CVE-2024-34066: Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked ei Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advis
nvd
CVE-2024-34068MEDIUMCVSS 6.4fixed in 1.11.2fixed in 1.11.122024-05-03
CVE-2024-34068 [MEDIUM] CWE-284 CVE-2024-34068: Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has a Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access
nvd
CVE-2024-27102HIGHCVSS 8.5fixed in 1.11.92024-03-13
CVE-2024-27102 [HIGH] CWE-22 CVE-2024-27102: Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running t Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. I
nvd
CVE-2023-32080HIGHCVSS 8.8fixed in 1.7.4≥ 1.11.0, < 1.11.6+2 more2023-05-10
CVE-2023-32080 [HIGH] CWE-250 CVE-2023-32080: Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to 1.7.5 and versions 1.11.0 prior to 1.11.6 impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings if a user is able to modify an server's install script or the install script
nvd
CVE-2023-25168HIGHCVSS 8.2≥ 1.7.0, < 1.7.4v1.11.0+5 more2023-02-09
CVE-2023-25168 [HIGH] CWE-59 CVE-2023-25168: Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and dire Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. This
nvd
CVE-2023-25152HIGHCVSS 8.8fixed in 1.7.3v1.11.0+3 more2023-02-08
CVE-2023-25152 [HIGH] CWE-59 CVE-2023-25152: Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their containers to privileged mode, or potentially add ssh authorized
nvd
CVE-2021-32699MEDIUMCVSS 6.5fixed in 1.4.42021-06-22
CVE-2021-32699 [MEDIUM] CWE-400 CVE-2021-32699: Wings is the control plane software for the open source Pterodactyl game management system. All vers Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intended and cause downstream impacts to other clients on
nvd