Panel
Monthly
Missing authorization validation in Pterodactyl Wings prior to version 1.12.1 allows authenticated nodes to access and manipulate servers across different nodes without proper ownership verification. An attacker with a valid node secret token can retrieve sensitive installation scripts, alter server installation states, and modify transfer statuses for servers they should not have access to. The vulnerability requires network access and valid node credentials but carries high impact due to potential exposure of secrets and cross-node server manipulation.
SQL injection in Xiaopi Panel's WAF Firewall component (up to version 20260126) allows authenticated remote attackers to manipulate the ID parameter in /demo.php and execute arbitrary SQL queries. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability requires valid credentials to exploit but enables attackers to access or modify sensitive database information.
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. [CVSS 5.4 MEDIUM]
Missing authorization validation in Pterodactyl Wings prior to version 1.12.1 allows authenticated nodes to access and manipulate servers across different nodes without proper ownership verification. An attacker with a valid node secret token can retrieve sensitive installation scripts, alter server installation states, and modify transfer statuses for servers they should not have access to. The vulnerability requires network access and valid node credentials but carries high impact due to potential exposure of secrets and cross-node server manipulation.
SQL injection in Xiaopi Panel's WAF Firewall component (up to version 20260126) allows authenticated remote attackers to manipulate the ID parameter in /demo.php and execute arbitrary SQL queries. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability requires valid credentials to exploit but enables attackers to access or modify sensitive database information.
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. [CVSS 5.4 MEDIUM]