Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/85551?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/85551?format=api", "purl": "pkg:composer/pterodactyl/panel@1.11.11", "type": "composer", "namespace": "pterodactyl", "name": "panel", "version": "1.11.11", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.12.1", "latest_non_vulnerable_version": "1.12.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49593?format=api", "vulnerability_id": "VCID-8spz-vf88-ffg6", "summary": "Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced\nPterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68954", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01383", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01379", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68954" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68954", "reference_id": "CVE-2025-68954", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68954" }, { "reference_url": "https://github.com/advisories/GHSA-8c39-xppg-479c", "reference_id": "GHSA-8c39-xppg-479c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8c39-xppg-479c" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c", "reference_id": "GHSA-8c39-xppg-479c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73118?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0" } ], "aliases": [ "CVE-2025-68954", "GHSA-8c39-xppg-479c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8spz-vf88-ffg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49768?format=api", "vulnerability_id": "VCID-euq3-t72s-v7hx", "summary": "Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted\nPterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle.\n\nHowever, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time.\n\nAs a result a server would be able to create more databases, allocations, or backups than configured.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69198", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19682", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19726", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19729", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69198" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:10Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69198", "reference_id": "CVE-2025-69198", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69198" }, { "reference_url": "https://github.com/advisories/GHSA-jw2v-cq5x-q68g", "reference_id": "GHSA-jw2v-cq5x-q68g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jw2v-cq5x-q68g" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g", "reference_id": "GHSA-jw2v-cq5x-q68g", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:10Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73118?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0" } ], "aliases": [ "CVE-2025-69198", "GHSA-jw2v-cq5x-q68g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-euq3-t72s-v7hx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50174?format=api", "vulnerability_id": "VCID-ex7c-s6tk-cub4", "summary": "Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization\nA missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with.\n\nAny authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes.\n\n_This vulnerability requires a user to acquire a secret access token for a node. We rated this issue based on potential worst outcome. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token._", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26016", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20537", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20551", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26016" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:43Z/" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26016", "reference_id": "CVE-2026-26016", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26016" }, { "reference_url": "https://github.com/advisories/GHSA-g7vw-f8p5-c728", "reference_id": "GHSA-g7vw-f8p5-c728", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g7vw-f8p5-c728" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728", "reference_id": "GHSA-g7vw-f8p5-c728", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:43Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74061?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.1" } ], "aliases": [ "CVE-2026-26016", "GHSA-g7vw-f8p5-c728" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ex7c-s6tk-cub4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49531?format=api", "vulnerability_id": "VCID-k7th-zxza-suax", "summary": "Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”\nWhen an administrative user creates a new database host they are prompted to provide a `Host` value which is expected to be a domain or IP address. When an invalid value is encountered and passed back to `gethostaddr` and/or directly to the MySQL connection tooling, an error is returned. This error is then passed back along to the front-end, but was not properly sanitized when rendered.\n\nTherefore it is possible for an admin to _knowingly_ paste a malicious payload such as `<script>prompt(document.domain)</script>` into the `Host` field and XSS themselves.", "references": [ { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/1570ff250939b75b3ba8cd03e5025d8293544ed4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/commit/1570ff250939b75b3ba8cd03e5025d8293544ed4" }, { "reference_url": "https://github.com/advisories/GHSA-mgr9-6c2j-jxrq", "reference_id": "GHSA-mgr9-6c2j-jxrq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mgr9-6c2j-jxrq" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-mgr9-6c2j-jxrq", "reference_id": "GHSA-mgr9-6c2j-jxrq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-mgr9-6c2j-jxrq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73118?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0" } ], "aliases": [ "GHSA-mgr9-6c2j-jxrq" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k7th-zxza-suax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49592?format=api", "vulnerability_id": "VCID-khx3-uazp-w3ht", "summary": "Pterodactyl TOTPs can be reused during validity window\nWhen a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token validity window.\n\nThis vulnerability requires that an attacker already be in possession of a valid username and password combination, and intercept a valid 2FA token (for example, during a screen share). The token must then be provided in addition to the username and password during the limited token validity window. The validity window is ~60 seconds as the Panel allows at most one additional window to the current one, each window being 30 seconds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69197", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01648", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01641", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69197" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69197", "reference_id": "CVE-2025-69197", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69197" }, { "reference_url": "https://github.com/advisories/GHSA-rgmp-4873-r683", "reference_id": "GHSA-rgmp-4873-r683", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rgmp-4873-r683" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683", "reference_id": "GHSA-rgmp-4873-r683", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73118?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0" } ], "aliases": [ "CVE-2025-69197", "GHSA-rgmp-4873-r683" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-khx3-uazp-w3ht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50156?format=api", "vulnerability_id": "VCID-y8bz-8ura-hqc3", "summary": "Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change\nDeleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.\nThis can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.", "references": [ { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1" }, { "reference_url": "https://github.com/advisories/GHSA-hr7j-63v7-vj7g", "reference_id": "GHSA-hr7j-63v7-vj7g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hr7j-63v7-vj7g" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g", "reference_id": "GHSA-hr7j-63v7-vj7g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74061?format=api", "purl": "pkg:composer/pterodactyl/panel@1.12.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.1" } ], "aliases": [ "GHSA-hr7j-63v7-vj7g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y8bz-8ura-hqc3" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57509?format=api", "vulnerability_id": "VCID-3whz-s48q-cqay", "summary": "Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution\nUsing the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated.\n\nWith the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49132", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.12525", "scoring_system": "epss", "scoring_elements": "0.94075", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.12525", "scoring_system": "epss", "scoring_elements": "0.94072", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.12525", "scoring_system": "epss", "scoring_elements": "0.94074", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49132" }, { "reference_url": "https://github.com/pterodactyl/panel", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pterodactyl/panel" }, { "reference_url": "https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/" } ], "url": "https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0" }, { "reference_url": "https://github.com/pterodactyl/panel/releases/tag/v1.11.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/" } ], "url": "https://github.com/pterodactyl/panel/releases/tag/v1.11.11" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52341.py", "reference_id": "CVE-2025-49132", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52341.py" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49132", "reference_id": "CVE-2025-49132", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49132" }, { "reference_url": "https://github.com/advisories/GHSA-24wv-6c99-f843", "reference_id": "GHSA-24wv-6c99-f843", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-24wv-6c99-f843" }, { "reference_url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843", "reference_id": "GHSA-24wv-6c99-f843", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/" } ], "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85551?format=api", "purl": "pkg:composer/pterodactyl/panel@1.11.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8spz-vf88-ffg6" }, { "vulnerability": "VCID-euq3-t72s-v7hx" }, { "vulnerability": "VCID-ex7c-s6tk-cub4" }, { "vulnerability": "VCID-k7th-zxza-suax" }, { "vulnerability": "VCID-khx3-uazp-w3ht" }, { "vulnerability": "VCID-y8bz-8ura-hqc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.11.11" } ], "aliases": [ "CVE-2025-49132", "GHSA-24wv-6c99-f843" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3whz-s48q-cqay" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.11.11" }