[CRITICAL] Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization

PKSA-773t-3wms-bb2z CVE-2026-26016 GHSA-g7vw-f8p5-c728

Affected version: <1.12.1

Reported by:
GitHub

[HIGH] Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change

PKSA-khps-r6nm-3z7r GHSA-hr7j-63v7-vj7g

Affected version: <1.12.1

Reported by:
GitHub