CVE-2026-21696: Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered
(updated )
Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records
References
- github.com/advisories/GHSA-2497-gp99-2m74
- github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607
- github.com/pterodactyl/panel/releases/tag/v1.12.0
- github.com/pterodactyl/wings
- github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go
- github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go
- github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74
- nvd.nist.gov/vuln/detail/CVE-2026-21696
Code Behaviors & Features
Detect and mitigate CVE-2026-21696 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →