Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Panel — Vulnerabilities & Security Advisories 30

All 30 CVE vulnerabilities found in Panel, with AI-generated Chinese analysis, references, and POCs.

This page aggregates Common Weakness Enumerations related to the panel product category, focusing on software vulnerability classification and vendor-specific advisories. It compiles a comprehensive dataset of security flaws ranging from code injection and broken access control to cross-site scripting and security misconfigurations. The collection spans historical records from early 2010s to current developments, ensuring coverage of legacy system risks alongside modern architectural vulnerabilities. Users can utilize this resource to track specific vendor security advisories and monitor how different manufacturers address similar weaknesses in their panel implementations. The database allows security professionals to understand the prevalence and severity of specific weakness classes within panel software, facilitating better risk assessment and mitigation planning. By examining a product’s vulnerability history, teams can identify recurring patterns in coding errors or design flaws that persist across multiple updates. This structured approach helps organizations prioritize patching efforts and strengthen their defense strategies against known exploit vectors. The data serves as a reference point for comparing security postures across competing products and understanding the broader landscape of panel-related security incidents. Analysts can also use these insights to evaluate the effectiveness of existing security controls and identify gaps in their current protection mechanisms.

Vendor: pterodactyl

CVE IDTitleCVSSSeverityPublished
CVE-2026-35202 Pterodactyl has a database resource limit bypass via race condition in Client API CWE-367--2026-06-02
CVE-2026-34358 CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass CWE-284 8.1 High2026-05-19
CVE-2026-34246 CtrlPanel: Stored XSS in Admin Role Management via Unescaped DataTable HTML Output CWE-80 4.8 Medium2026-05-19
CVE-2026-34241 CtrlPanel: Stored XSS in Ticket Reply Notifications Allows Session Hijacking CWE-79 8.7 High2026-05-19
CVE-2026-34234 CtrlPanel: Unauthenticated RCE using installer script CWE-78 10.0 Critical2026-05-19
CVE-2026-34233 CtrlPanel has Missing Authentication Checks in Datatable Admin Endpoints CWE-284 6.5 Medium2026-05-19
CVE-2026-34216 CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php CWE-470 6.6 Medium2026-05-19
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users CWE-287 9.8 Critical2026-04-02
CVE-2026-5332 Xiaopi Panel WAF Firewall demo.php cross site scripting CWE-79 3.5 Low2026-04-02
CVE-2026-34456 Reviactyl: OAuth account takeover via auto-linking CWE-284 9.1 Critical2026-04-01
CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization CWE-639 8.1 -2026-02-19
CVE-2026-2122 Xiaopi Panel WAF Firewall demo.php sql injection CWE-89 6.3 Medium2026-02-08
CVE-2025-69199 Pterodactyl Wings's websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks under certain circumstances CWE-400 7.5AIHighAI2026-01-19
CVE-2025-69198 Pterodactyl's improper resource locking allows raced queries to create more resources than alloted CWE-400 6.5AIMediumAI2026-01-19
CVE-2025-69197 Pterodactyl TOTPs can be reused during validity window CWE-287 6.5 Medium2026-01-06
CVE-2025-68954 Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced CWE-613 6.5 -2026-01-06
CVE-2025-53534 RatPanel can perform remote command execution without authorization CWE-305 9.8AICriticalAI2025-08-05
CVE-2025-52562 Convey Panel Directory Traversal in LocaleController leading to Remote Code Execution CWE-22 10.0 Critical2025-06-23
CVE-2025-49132 Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution CWE-94 10.0 Critical2025-06-20
CVE-2025-25203 Ctrlpanel has stored XSS vulnerability in TicketsController priority field CWE-79 8.1 High2025-02-11
CVE-2024-49762 Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled CWE-313 4.6 Medium2024-10-24
CVE-2024-6878 Directory Browsing in Eliz Software's Panel CWE-552 6.5AIMediumAI2024-09-18
CVE-2024-6877 Reflected XSS in Eliz Software's Panel CWE-79 6.1AIMediumAI2024-09-18
CVE-2024-5960 Plaintext Storage of a Password in Eliz Software's Panel CWE-256 9.8 Critical2024-09-18
CVE-2024-5959 Stored XSS in Eliz Software's Panel CWE-79 5.4AIMediumAI2024-09-18
CVE-2024-5958 SQLi in Eliz Software's Panel CWE-89 9.8AICriticalAI2024-09-18
CVE-2024-34067 Multiple cross site scripting (XSS) vulnerabilities in the admin area of Pterodactyl panel CWE-79 6.1 Medium2024-05-03
CVE-2021-41273 Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys CWE-352 4.3 Medium2021-11-17
CVE-2021-41176 logout CSRF in Pterodactyl Panel CWE-352 4.3 Medium2021-10-25
CVE-2021-41129 Authentication bypass in Pterodactyl CWE-502 8.1 High2021-10-06

All 30 known CVE vulnerabilities affecting Panel with full Chinese analysis, references, and POCs where available.