CVE-2026-21696

Name of the Vulnerable Software and Affected Versions Wings versions 1.7.0 through 1.11.9

Description Wings, the server control plane for Pterodactyl, is affected by an issue where it does not account for SQLite’s maximum parameter limit when handling activity log entries. This allows a low-privileged user to cause the panel to be flooded with activity records. The system attempts to delete activity entries from the SQLite database in a single query, exceeding the limit of 32766 parameters. This results in an error, preventing the deletion of entries, which are then repeatedly re-processed and sent to the panel. An attacker can exploit this to repeatedly upload the same activity data to the panel, potentially exhausting the database server’s disk space.

Recommendations Update to Wings version 1.12.0 or later.