Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ak5j-hyqv-83gh
Vulnerability ID VCID-ak5j-hyqv-83gh
Aliases CVE-2025-49132
GHSA-24wv-6c99-f843
Summary Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.12525 https://api.first.org/data/v1/epss?cve=CVE-2025-49132
epss 0.12525 https://api.first.org/data/v1/epss?cve=CVE-2025-49132
epss 0.12525 https://api.first.org/data/v1/epss?cve=CVE-2025-49132
cvssv3.1 10.0 https://github.com/pterodactyl/panel
generic_textual CRITICAL https://github.com/pterodactyl/panel
cvssv3.1 10 https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
cvssv3.1 10.0 https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
generic_textual CRITICAL https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
ssvc Track https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
cvssv3.1 10 https://github.com/pterodactyl/panel/releases/tag/v1.11.11
cvssv3.1 10.0 https://github.com/pterodactyl/panel/releases/tag/v1.11.11
generic_textual CRITICAL https://github.com/pterodactyl/panel/releases/tag/v1.11.11
ssvc Track https://github.com/pterodactyl/panel/releases/tag/v1.11.11
cvssv3.1 10 https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
cvssv3.1 10.0 https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
generic_textual CRITICAL https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
ssvc Track https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
cvssv3.1 10.0 https://nvd.nist.gov/vuln/detail/CVE-2025-49132
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2025-49132
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-49132
https://github.com/pterodactyl/panel
https://nvd.nist.gov/vuln/detail/CVE-2025-49132
24c82b0e335fb5d7a844226b08abf9f176e592f0 https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
CVE-2025-49132 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52341.py
GHSA-24wv-6c99-f843 https://github.com/advisories/GHSA-24wv-6c99-f843
GHSA-24wv-6c99-f843 https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
v1.11.11 https://github.com/pterodactyl/panel/releases/tag/v1.11.11
Data source Exploit-DB
Date added June 26, 2025
Description Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)
Ransomware campaign use Unknown
Source publication date June 26, 2025
Exploit type webapps
Platform multiple
Source update date June 26, 2025
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pterodactyl/panel
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/ Found at https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pterodactyl/panel/releases/tag/v1.11.11
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pterodactyl/panel/releases/tag/v1.11.11
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/ Found at https://github.com/pterodactyl/panel/releases/tag/v1.11.11
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/ Found at https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-49132
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.94094
EPSS Score 0.12525
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:01:44.487982+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/49xxx/CVE-2025-49132.json 38.6.0