Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/pterodactyl/panel@0.7.1
purl pkg:composer/pterodactyl/panel@0.7.1
Next non-vulnerable version 1.7.0
Latest non-vulnerable version 1.12.3
Risk 3.1
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-4b3f-bz65-abfz
Aliases:
GHSA-5822-pw57-vv37
GMS-2020-584
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pterodactyl/panel.
0.7.19
Affected by 3 other vulnerabilities.
1.0.0-rc.7
Affected by 3 other vulnerabilities.
VCID-4dmv-578h-yffr
Aliases:
CVE-2021-41273
GHSA-wwgq-9jhf-qgw6
Cross-Site Request Forgery (CSRF) Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.
1.6.6
Affected by 1 other vulnerability.
VCID-9b11-582z-9uad
Aliases:
CVE-2021-41176
GHSA-m49f-hcxp-6hm6
Cross-Site Request Forgery (CSRF) Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go.This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed
1.6.3
Affected by 2 other vulnerabilities.
VCID-gwx6-sjts-hygr
Aliases:
CVE-2019-1020002
GHSA-fg52-xjfc-9rh8
Pterodactyl vulnerable to 2FA Sniffing **Pterodactyl version 0.7.13 and lower - 2FA Sniffing** Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields. ### Impact Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields. A logical mistake was made when the original code was written that would wait to verify the user's password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page. ### For more information If you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.
0.7.14
Affected by 4 other vulnerabilities.
VCID-rzhf-4asb-tqe8
Aliases:
GHSA-7v3x-h7r2-34jv
GMS-2022-28
Insufficient Session Expiration in Pterodactyl API ### Impact A vulnerability exists in Pterodactyl Panel `<= 1.6.6` that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to. It is important to note that **a malicious user must first compromise an existing API key for a user to exploit this issue**. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key. ### Patches This issue has been addressed in the `v1.7.0` release of Pterodactyl Panel. ### Workarounds Those not wishing to upgrade may apply the change below: ```diff diff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php index eb25dac6..857bfab2 100644 --- a/app/Http/Middleware/Api/AuthenticateKey.php +++ b/app/Http/Middleware/Api/AuthenticateKey.php @@ -70,7 +70,7 @@ class AuthenticateKey } else { $model = $this->authenticateApiKey($request->bearerToken(), $keyType); - $this->auth->guard()->loginUsingId($model->user_id); + $this->auth->guard()->onceUsingId($model->user_id); } ``` ### For more information If you have any questions or comments about this advisory please reach out to `Tactical Fish#8008` on [Discord](https://discord.gg/pterodactyl) or email `dane@pterodactyl.io`.
1.7.0
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T02:23:38.245231+00:00 GitLab Importer Affected by VCID-gwx6-sjts-hygr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pterodactyl/panel/CVE-2019-1020002.yml 38.6.0
2026-06-06T01:18:43.176007+00:00 GitLab Importer Affected by VCID-rzhf-4asb-tqe8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pterodactyl/panel/GMS-2022-28.yml 38.6.0
2026-06-06T01:09:49.814626+00:00 GitLab Importer Affected by VCID-4dmv-578h-yffr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pterodactyl/panel/CVE-2021-41273.yml 38.6.0
2026-06-06T01:03:55.052594+00:00 GitLab Importer Affected by VCID-9b11-582z-9uad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pterodactyl/panel/CVE-2021-41176.yml 38.6.0
2026-06-04T20:39:52.714458+00:00 GitLab Importer Affected by VCID-4b3f-bz65-abfz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pterodactyl/panel/GMS-2020-584.yml 38.6.0