Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

panel — Vulnerabilities & Security Advisories 23

All 23 CVE vulnerabilities found in panel, with AI-generated Chinese analysis, references, and POCs.

Vendor: pterodactyl

CVE IDTitleCVSSSeverityPublished
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users CWE-287 9.8 Critical2026-04-02
CVE-2026-5332 Xiaopi Panel WAF Firewall demo.php cross site scripting CWE-79 3.5 Low2026-04-02
CVE-2026-34456 Reviactyl: OAuth account takeover via auto-linking CWE-284 9.1 Critical2026-04-01
CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization CWE-639 8.1 -2026-02-19
CVE-2026-2122 Xiaopi Panel WAF Firewall demo.php sql injection CWE-89 6.3 Medium2026-02-08
CVE-2025-69199 Pterodactyl Wings's websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks under certain circumstances CWE-400 7.5AIHighAI2026-01-19
CVE-2025-69198 Pterodactyl's improper resource locking allows raced queries to create more resources than alloted CWE-400 6.5AIMediumAI2026-01-19
CVE-2025-69197 Pterodactyl TOTPs can be reused during validity window CWE-287 6.5 Medium2026-01-06
CVE-2025-68954 Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced CWE-613 6.5 -2026-01-06
CVE-2025-53534 RatPanel can perform remote command execution without authorization CWE-305 9.8AICriticalAI2025-08-05
CVE-2025-52562 Convey Panel Directory Traversal in LocaleController leading to Remote Code Execution CWE-22 10.0 Critical2025-06-23
CVE-2025-49132 Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution CWE-94 10.0 Critical2025-06-20
CVE-2025-25203 Ctrlpanel has stored XSS vulnerability in TicketsController priority field CWE-79 8.1 High2025-02-11
CVE-2024-49762 Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled CWE-313 4.6 Medium2024-10-24
CVE-2024-6878 Directory Browsing in Eliz Software's Panel CWE-552 6.5AIMediumAI2024-09-18
CVE-2024-6877 Reflected XSS in Eliz Software's Panel CWE-79 6.1AIMediumAI2024-09-18
CVE-2024-5960 Plaintext Storage of a Password in Eliz Software's Panel CWE-256 9.8 Critical2024-09-18
CVE-2024-5959 Stored XSS in Eliz Software's Panel CWE-79 5.4AIMediumAI2024-09-18
CVE-2024-5958 SQLi in Eliz Software's Panel CWE-89 9.8AICriticalAI2024-09-18
CVE-2024-34067 Multiple cross site scripting (XSS) vulnerabilities in the admin area of Pterodactyl panel CWE-79 6.1 Medium2024-05-03
CVE-2021-41273 Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys CWE-352 4.3 Medium2021-11-17
CVE-2021-41176 logout CSRF in Pterodactyl Panel CWE-352 4.3 Medium2021-10-25
CVE-2021-41129 Authentication bypass in Pterodactyl CWE-502 8.1 High2021-10-06

All 23 known CVE vulnerabilities affecting panel with full Chinese analysis, references, and POCs where available.