Azimoff337

**Name of the Vulnerable Software and Affected Versions** Pterodactyl versions prior to 1.11.11 **Description** An unauthenticated malicious actor can execute arbitrary code by using the '/locales/locale.json' endpoint with the `locale` and `namespace` query parameters. This flaw allows for complete server compromise, including accessing the panel server, reading credentials from the configuration (such as the `.env` file), extracting sensitive database information (including usernames, emails, and hashed passwords), and accessing files of servers managed by the panel. Security researchers and malicious actors have attempted to exploit this issue following its announcement. **Recommendations** Update to version 1.11.11. For modified installations using Git, apply the official patch using `git apply`. As a temporary mitigation, use an external Web Application Firewall (WAF) to block the attack. Restrict access to the '/locales/locale.json' endpoint at the webserver level, although this will break localization features.