Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/274440?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/274440?format=api", "purl": "pkg:composer/pterodactyl/panel@0.5.0-rc.1", "type": "composer", "namespace": "pterodactyl", "name": "panel", "version": "0.5.0-rc.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.12.1", "latest_non_vulnerable_version": "1.12.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57509?format=api", "vulnerability_id": "VCID-3whz-s48q-cqay", "summary": "Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution\nUsing the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated.\n\nWith the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49132", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.12525", "scoring_system": "epss", "scoring_elements": "0.94074", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49132" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.11.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.11.11" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52341.py", "reference_id": "CVE-2025-49132", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52341.py" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49132", "reference_id": "CVE-2025-49132", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49132" }, { "reference_url": "https://github.com/advisories/GHSA-24wv-6c99-f843", "reference_id": "GHSA-24wv-6c99-f843", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-24wv-6c99-f843" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843", "reference_id": "GHSA-24wv-6c99-f843", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85551?format=api", "purl": "pkg:composer/pterodactyl/panel@1.11.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.11.11" } ], "aliases": [ "CVE-2025-49132", "GHSA-24wv-6c99-f843" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3whz-s48q-cqay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53697?format=api", "vulnerability_id": "VCID-4b3f-bz65-abfz", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pterodactyl/panel.", "references": [ { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/advisories/GHSA-5822-pw57-vv37", "reference_id": "GHSA-5822-pw57-vv37", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5822-pw57-vv37" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5822-pw57-vv37", "reference_id": "GHSA-5822-pw57-vv37", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5822-pw57-vv37" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78903?format=api", "purl": "pkg:composer/pterodactyl/panel@0.7.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3whz-s48q-cqay" }, { "vulnerability": "VCID-4dmv-578h-yffr" }, { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-9b11-582z-9uad" }, { "vulnerability": "VCID-bws3-gcda-5yfp" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-px9v-aj25-qba9" }, { "vulnerability": "VCID-rzhf-4asb-tqe8" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@0.7.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/78904?format=api", "purl": "pkg:composer/pterodactyl/panel@1.0.0-rc.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3whz-s48q-cqay" }, { "vulnerability": "VCID-4dmv-578h-yffr" }, { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-9b11-582z-9uad" }, { "vulnerability": "VCID-bws3-gcda-5yfp" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-px9v-aj25-qba9" }, { "vulnerability": "VCID-rzhf-4asb-tqe8" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.0.0-rc.7" } ], "aliases": [ "GHSA-5822-pw57-vv37", "GMS-2020-584" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4b3f-bz65-abfz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41723?format=api", "vulnerability_id": "VCID-4dmv-578h-yffr", "summary": "Cross-Site Request Forgery (CSRF)\nPterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41273", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00117", "scoring_system": "epss", "scoring_elements": "0.30173", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00117", "scoring_system": "epss", "scoring_elements": "0.30101", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41273" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41273", "reference_id": "CVE-2021-41273", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41273" }, { "reference_url": "https://github.com/advisories/GHSA-wwgq-9jhf-qgw6", "reference_id": "GHSA-wwgq-9jhf-qgw6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wwgq-9jhf-qgw6" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6", "reference_id": "GHSA-wwgq-9jhf-qgw6", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/141884?format=api", "purl": "pkg:composer/pterodactyl/panel@1.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3whz-s48q-cqay" }, { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-bws3-gcda-5yfp" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-px9v-aj25-qba9" }, { "vulnerability": "VCID-rzhf-4asb-tqe8" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.6.6" } ], "aliases": [ "CVE-2021-41273", "GHSA-wwgq-9jhf-qgw6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4dmv-578h-yffr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49593?format=api", "vulnerability_id": "VCID-8spz-vf88-ffg6", "summary": "Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced\nPterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68954", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01379", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68954" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68954", "reference_id": "CVE-2025-68954", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68954" }, { "reference_url": "https://github.com/advisories/GHSA-8c39-xppg-479c", "reference_id": "GHSA-8c39-xppg-479c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8c39-xppg-479c" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c", "reference_id": "GHSA-8c39-xppg-479c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73118?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0" } ], "aliases": [ "CVE-2025-68954", "GHSA-8c39-xppg-479c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8spz-vf88-ffg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41633?format=api", "vulnerability_id": "VCID-9b11-582z-9uad", "summary": "Cross-Site Request Forgery (CSRF)\nPterodactyl is an open-source game server management panel built with PHP 7, React, and Go.This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41176", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37745", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37653", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41176" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.3" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41176", "reference_id": "CVE-2021-41176", "reference_type": "", "scores": [ { "value": "0.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41176" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/140532?format=api", "purl": "pkg:composer/pterodactyl/panel@1.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3whz-s48q-cqay" }, { "vulnerability": "VCID-4dmv-578h-yffr" }, { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-bws3-gcda-5yfp" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-px9v-aj25-qba9" }, { "vulnerability": "VCID-rzhf-4asb-tqe8" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.6.3" } ], "aliases": [ "CVE-2021-41176", "GHSA-m49f-hcxp-6hm6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9b11-582z-9uad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54733?format=api", "vulnerability_id": "VCID-bws3-gcda-5yfp", "summary": "Pterodactyl panel's admin area vulnerable to Cross-site Scripting\nImporting a malicious egg or gaining access to wings instance could lead to XSS on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted:\n- Egg Docker images\n- Egg variables:\n- Name\n- Environment variable\n- Default value\n- Description\n- Validation rules\n\nAdditionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact.\n\nTo iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34067", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00529", "scoring_system": "epss", "scoring_elements": "0.67585", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34067" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T20:23:13Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T20:23:13Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T20:23:13Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34067", "reference_id": "CVE-2024-34067", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34067" }, { "reference_url": "https://github.com/advisories/GHSA-384w-wffr-x63q", "reference_id": "GHSA-384w-wffr-x63q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-384w-wffr-x63q" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q", "reference_id": "GHSA-384w-wffr-x63q", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T20:23:13Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81172?format=api", "purl": "pkg:composer/pterodactyl/panel@1.11.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3whz-s48q-cqay" }, { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-px9v-aj25-qba9" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.11.6" } ], "aliases": [ "CVE-2024-34067", "GHSA-384w-wffr-x63q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bws3-gcda-5yfp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49768?format=api", "vulnerability_id": "VCID-euq3-t72s-v7hx", "summary": "Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted\nPterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle.\n\nHowever, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time.\n\nAs a result a server would be able to create more databases, allocations, or backups than configured.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69198", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19729", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69198" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:10Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69198", "reference_id": "CVE-2025-69198", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69198" }, { "reference_url": "https://github.com/advisories/GHSA-jw2v-cq5x-q68g", "reference_id": "GHSA-jw2v-cq5x-q68g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jw2v-cq5x-q68g" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g", "reference_id": "GHSA-jw2v-cq5x-q68g", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:10Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73118?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0" } ], "aliases": [ "CVE-2025-69198", "GHSA-jw2v-cq5x-q68g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-euq3-t72s-v7hx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50174?format=api", "vulnerability_id": "VCID-ex7c-s6tk-cub4", "summary": "Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization\nA missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with.\n\nAny authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes.\n\n_This vulnerability requires a user to acquire a secret access token for a node. We rated this issue based on potential worst outcome. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token._", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26016", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20551", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26016" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:43Z/" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26016", "reference_id": "CVE-2026-26016", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26016" }, { "reference_url": "https://github.com/advisories/GHSA-g7vw-f8p5-c728", "reference_id": "GHSA-g7vw-f8p5-c728", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g7vw-f8p5-c728" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728", "reference_id": "GHSA-g7vw-f8p5-c728", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:43Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74061?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.1" } ], "aliases": [ "CVE-2026-26016", "GHSA-g7vw-f8p5-c728" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ex7c-s6tk-cub4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112014?format=api", "vulnerability_id": "VCID-gwx6-sjts-hygr", "summary": "Pterodactyl vulnerable to 2FA Sniffing\n**Pterodactyl version 0.7.13 and lower - 2FA Sniffing**\n\nUsers who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.\n\n### Impact\nUsers who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.\n\nA logical mistake was made when the original code was written that would wait to verify the user's password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page.\n\n### For more information\nIf you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-1020002", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00391", "scoring_system": "epss", "scoring_elements": "0.60532", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00391", "scoring_system": "epss", "scoring_elements": "0.60484", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-1020002" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/092e7e79fff858ee026608c7dbccab165a67526f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/commit/092e7e79fff858ee026608c7dbccab165a67526f" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v0.7.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v0.7.14" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1020002", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1020002" }, { "reference_url": "https://github.com/advisories/GHSA-fg52-xjfc-9rh8", "reference_id": "GHSA-fg52-xjfc-9rh8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fg52-xjfc-9rh8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/154626?format=api", "purl": "pkg:composer/pterodactyl/panel@0.7.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3whz-s48q-cqay" }, { "vulnerability": "VCID-4b3f-bz65-abfz" }, { "vulnerability": "VCID-4dmv-578h-yffr" }, { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-9b11-582z-9uad" }, { "vulnerability": "VCID-bws3-gcda-5yfp" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-px9v-aj25-qba9" }, { "vulnerability": "VCID-rzhf-4asb-tqe8" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@0.7.14" } ], "aliases": [ "CVE-2019-1020002", "GHSA-fg52-xjfc-9rh8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gwx6-sjts-hygr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49531?format=api", "vulnerability_id": "VCID-k7th-zxza-suax", "summary": "Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”\nWhen an administrative user creates a new database host they are prompted to provide a `Host` value which is expected to be a domain or IP address. When an invalid value is encountered and passed back to `gethostaddr` and/or directly to the MySQL connection tooling, an error is returned. This error is then passed back along to the front-end, but was not properly sanitized when rendered.\n\nTherefore it is possible for an admin to _knowingly_ paste a malicious payload such as `<script>prompt(document.domain)</script>` into the `Host` field and XSS themselves.", "references": [ { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/1570ff250939b75b3ba8cd03e5025d8293544ed4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/commit/1570ff250939b75b3ba8cd03e5025d8293544ed4" }, { "reference_url": "https://github.com/advisories/GHSA-mgr9-6c2j-jxrq", "reference_id": "GHSA-mgr9-6c2j-jxrq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mgr9-6c2j-jxrq" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-mgr9-6c2j-jxrq", "reference_id": "GHSA-mgr9-6c2j-jxrq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-mgr9-6c2j-jxrq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73118?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0" } ], "aliases": [ "GHSA-mgr9-6c2j-jxrq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k7th-zxza-suax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49592?format=api", "vulnerability_id": "VCID-khx3-uazp-w3ht", "summary": "Pterodactyl TOTPs can be reused during validity window\nWhen a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token validity window.\n\nThis vulnerability requires that an attacker already be in possession of a valid username and password combination, and intercept a valid 2FA token (for example, during a screen share). The token must then be provided in addition to the username and password during the limited token validity window. The validity window is ~60 seconds as the Panel allows at most one additional window to the current one, each window being 30 seconds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69197", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01641", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69197" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69197", "reference_id": "CVE-2025-69197", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69197" }, { "reference_url": "https://github.com/advisories/GHSA-rgmp-4873-r683", "reference_id": "GHSA-rgmp-4873-r683", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rgmp-4873-r683" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683", "reference_id": "GHSA-rgmp-4873-r683", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73118?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0" } ], "aliases": [ "CVE-2025-69197", "GHSA-rgmp-4873-r683" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-khx3-uazp-w3ht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56057?format=api", "vulnerability_id": "VCID-px9v-aj25-qba9", "summary": "Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled\nWhen a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text.\n\nIf a malicious user obtains access to these logs they could *potentially* authenticate against a user's account; assuming they are able to discover the account's email address or username **separately**.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-49762", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11231", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-49762" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T17:20:24Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T17:20:24Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49762", "reference_id": "CVE-2024-49762", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49762" }, { "reference_url": "https://github.com/advisories/GHSA-c479-wq8g-57hr", "reference_id": "GHSA-c479-wq8g-57hr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c479-wq8g-57hr" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-c479-wq8g-57hr", "reference_id": "GHSA-c479-wq8g-57hr", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T17:20:24Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-c479-wq8g-57hr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83044?format=api", "purl": "pkg:composer/pterodactyl/panel@1.11.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3whz-s48q-cqay" }, { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.11.8" } ], "aliases": [ "CVE-2024-49762", "GHSA-c479-wq8g-57hr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-px9v-aj25-qba9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42139?format=api", "vulnerability_id": "VCID-rzhf-4asb-tqe8", "summary": "Insufficient Session Expiration in Pterodactyl API\n### Impact\nA vulnerability exists in Pterodactyl Panel `<= 1.6.6` that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to.\n\nIt is important to note that **a malicious user must first compromise an existing API key for a user to exploit this issue**. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key.\n\n### Patches\nThis issue has been addressed in the `v1.7.0` release of Pterodactyl Panel.\n\n### Workarounds\nThose not wishing to upgrade may apply the change below:\n\n```diff\ndiff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php\nindex eb25dac6..857bfab2 100644\n--- a/app/Http/Middleware/Api/AuthenticateKey.php\n+++ b/app/Http/Middleware/Api/AuthenticateKey.php\n@@ -70,7 +70,7 @@ class AuthenticateKey\n } else {\n $model = $this->authenticateApiKey($request->bearerToken(), $keyType);\n\n- $this->auth->guard()->loginUsingId($model->user_id);\n+ $this->auth->guard()->onceUsingId($model->user_id);\n }\n```\n\n### For more information\nIf you have any questions or comments about this advisory please reach out to `Tactical Fish#8008` on [Discord](https://discord.gg/pterodactyl) or email `dane@pterodactyl.io`.", "references": [ { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/dfa329ddf242908b60e22e3340ea36359eab1ef4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/commit/dfa329ddf242908b60e22e3340ea36359eab1ef4" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.7.0" }, { "reference_url": "https://github.com/advisories/GHSA-7v3x-h7r2-34jv", "reference_id": "GHSA-7v3x-h7r2-34jv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7v3x-h7r2-34jv" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv", "reference_id": "GHSA-7v3x-h7r2-34jv", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60222?format=api", "purl": "pkg:composer/pterodactyl/panel@1.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3whz-s48q-cqay" }, { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-bws3-gcda-5yfp" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-px9v-aj25-qba9" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.7.0" } ], "aliases": [ "GHSA-7v3x-h7r2-34jv", "GMS-2022-28" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rzhf-4asb-tqe8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50156?format=api", "vulnerability_id": "VCID-y8bz-8ura-hqc3", "summary": "Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change\nDeleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.\nThis can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.", "references": [ { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1" }, { "reference_url": "https://github.com/advisories/GHSA-hr7j-63v7-vj7g", "reference_id": "GHSA-hr7j-63v7-vj7g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hr7j-63v7-vj7g" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g", "reference_id": "GHSA-hr7j-63v7-vj7g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74061?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.1" } ], "aliases": [ "GHSA-hr7j-63v7-vj7g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y8bz-8ura-hqc3" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@0.5.0-rc.1" }