What is the CVSS score of CVE-2025-68954?

CVE-2025-68954 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Wings are affected by CVE-2025-68954?

Organizations using Pterodactyl should be aware of moderate risk from CVE-2025-68954 rated CVSS 5.4. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2025-68954?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Wings CVE-2025-68954

MEDIUM

Insufficient Session Expiration (CWE-613)

2026-01-06 security-advisories@github.com

GHSA-8c39-xppg-479c

Information Disclosure Wings Panel Suse

5.4

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.4 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

SUSE

MEDIUM

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Jan 12, 2026 - 21:29 nvd

Patch available

CVE Published

Jan 06, 2026 - 01:16 nvd

MEDIUM 5.4

DescriptionGitHub Advisory

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0.

AnalysisAI

Technical ContextAI

Classified as CWE-613 (Insufficient Session Expiration). Affects Panel. Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.12.0.. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: Medium

CVE-2025-68954 vulnerability details – vuln.today

Back

Wings CVE-2025-68954

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code