CRITICAL10.0CVE-2025-49132Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution from 0, < 1.11.11
HIGH8.1CVE-2021-41129Pterodactyl Panel vulnerable to authentication bypass due to improper user-provided security token verification >= 1.0.0, < 1.6.2
from 0, < 0.7.14
MEDIUM6.5Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted
from 0, < 1.12.0
MEDIUM6.5Pterodactyl TOTPs can be reused during validity window
from 0, < 1.12.0
MEDIUM6.1Pterodactyl panel's admin area vulnerable to Cross-site Scripting
from 0, < 1.11.6
MEDIUM4.6Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled
from 0, < 1.11.8
MEDIUM4.3Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys
from 0, < 1.6.6
NONE0.0pterodactyl/panel CSRF allowing an external page to trigger a user logout event
>= 1.0.0, < 1.6.3
—Pterodactyl has a database resource limit bypass via race condition in Client API
from 0, < 1.12.3
—Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
from 0, < 1.12.1
—Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
from 0, < 1.12.0