Resource exhaustion in Pterodactyl Wings

CVE-2026-21696

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log ent…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (23.5th percentile) — read the EPSS interpretation.

Affected products

Pterodactyl Wings — versions >= 1.7.0, < 1.12.0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74 (x_refsource_CONFIRM)
https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go#L81 (x_refsource_MISC)
https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go#L86 (x_refsource_MISC)