Danny6167

**Name of the Vulnerable Software and Affected Versions** Wings versions 1.7.0 through 1.11.9 **Description** Wings, the server control plane for Pterodactyl, is affected by an issue where it does not account for SQLite’s maximum parameter limit when handling activity log entries. This allows a low-privileged user to cause the panel to be flooded with activity records. The system attempts to delete activity entries from the SQLite database in a single query, exceeding the limit of 32766 parameters. This results in an error, preventing the deletion of entries, which are then repeatedly re-processed and sent to the panel. An attacker can exploit this to repeatedly upload the same activity data to the panel, potentially exhausting the database server’s disk space. **Recommendations** Update to Wings version 1.12.0 or later.