{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71727?format=json","vulnerability_id":"VCID-na3h-nqkr-13b2","summary":"Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.","aliases":[{"alias":"CVE-2026-35202"},{"alias":"GHSA-fgmm-w5cx-vrfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41490?format=json","purl":"pkg:composer/pterodactyl/panel@1.12.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.3"}],"affected_packages":[],"references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35202","reference_id":"CVE-2026-35202","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35202"},{"reference_url":"https://github.com/advisories/GHSA-fgmm-w5cx-vrfw","reference_id":"GHSA-fgmm-w5cx-vrfw","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fgmm-w5cx-vrfw"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-fgmm-w5cx-vrfw","reference_id":"GHSA-fgmm-w5cx-vrfw","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-03T12:47:43Z/"}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-fgmm-w5cx-vrfw"}],"weaknesses":[{"cwe_id":367,"name":"Time-of-check Time-of-use (TOCTOU) Race Condition","description":"The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state."},{"cwe_id":770,"name":"Allocation of Resources Without Limits or Throttling","description":"The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor."}],"exploits":[],"severity_range_score":"0.1 - 3","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-na3h-nqkr-13b2"}