GHSA-mgr9-6c2j-jxrq: Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”

December 30, 2025

When an administrative user creates a new database host they are prompted to provide a Host value which is expected to be a domain or IP address. When an invalid value is encountered and passed back to gethostaddr and/or directly to the MySQL connection tooling, an error is returned. This error is then passed back along to the front-end, but was not properly sanitized when rendered.

Therefore it is possible for an admin to knowingly paste a malicious payload such as <script>prompt(document.domain)</script> into the Host field and XSS themselves.

References

github.com/advisories/GHSA-mgr9-6c2j-jxrq
github.com/pterodactyl/panel
github.com/pterodactyl/panel/commit/1570ff250939b75b3ba8cd03e5025d8293544ed4
github.com/pterodactyl/panel/security/advisories/GHSA-mgr9-6c2j-jxrq

Code Behaviors & Features

Detect and mitigate GHSA-mgr9-6c2j-jxrq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →