CVE-2021-41176
4.3 MEDIUMPterodactyl is an open-source game server management panel built with PHP 7, React, and Go
Published: 2021-10-25 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CWE
- CWE-352
Affected products
| Vendor | Product |
|---|---|
| pterodactyl | panel |
Description
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41176
- [Patch]https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2
- [Other]https://github.com/pterodactyl/panel/releases/tag/v1.6.3
- [Other]https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6
- [Patch]https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2
- [Other]https://github.com/pterodactyl/panel/releases/tag/v1.6.3
- [Other]https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6
Related CVEs
Same vendor
- CVE-2021-41129 — Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go (8.1 HIGH)
Same CWE
- CVE-2026-49043 — Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions (4.7 MEDIUM)
- CVE-2026-48518 — MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances (4.3 MEDIUM)
- CVE-2016-20083 — WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized action... (5.3 MEDIUM)
- CVE-2016-20074 — WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorize... (4.3 MEDIUM)
- CVE-2016-20067 — WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on beh... (4.3 MEDIUM)