Search
Find a vulnerability
Search criteria
10 vulnerabilities found for Venueless by pretix
CVE-2026-13350 (GCVE-0-2026-13350)
Vulnerability from nvd – Published: 2026-06-25 16:05 – Updated: 2026-06-25 18:15
VLAI
Summary
Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T18:15:06.143068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:15:25.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "0a35457f",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
}
],
"value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:05:11.500Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-hj6j-wpgc-qrp5"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13350",
"datePublished": "2026-06-25T16:05:11.500Z",
"dateReserved": "2026-06-25T16:01:43.504Z",
"dateUpdated": "2026-06-25T18:15:25.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12863 (GCVE-0-2026-12863)
Vulnerability from nvd – Published: 2026-06-22 08:41 – Updated: 2026-06-23 11:54
VLAI
Title
Open redirect
Summary
An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL redirection to untrusted site ('open redirect')
Assigner
References
1 reference
Impacted products
Date Public
2026-06-22 08:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T10:27:00.898005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T10:27:10.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "d27864a7",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kuturu Rajesh"
}
],
"datePublic": "2026-06-22T08:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
}
],
"value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T11:54:38.277Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-m87f-7c4r-w4p3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Open redirect",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-12863",
"datePublished": "2026-06-22T08:41:33.126Z",
"dateReserved": "2026-06-22T08:17:20.587Z",
"dateUpdated": "2026-06-23T11:54:38.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12862 (GCVE-0-2026-12862)
Vulnerability from nvd – Published: 2026-06-22 08:26 – Updated: 2026-06-22 12:23
VLAI
Title
XLSX formula injection in exports
Summary
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-148 - Improper neutralization of input leaders
Assigner
References
1 reference
Impacted products
Date Public
2026-06-22 08:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T12:23:08.251405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T12:23:13.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "0a35457f",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"datePublic": "2026-06-22T08:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
}
],
"value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-148",
"description": "CWE-148 Improper neutralization of input leaders",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T08:26:10.365Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XLSX formula injection in exports",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-12862",
"datePublished": "2026-06-22T08:26:10.365Z",
"dateReserved": "2026-06-22T08:16:55.107Z",
"dateUpdated": "2026-06-22T12:23:13.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5599 (GCVE-0-2026-5599)
Vulnerability from nvd – Published: 2026-04-05 12:36 – Updated: 2026-04-06 14:33
VLAI
Title
API allows deletion of users of other instance
Summary
A user with API access and "manage users" permission in any venueless
world is able to trigger deletion of user accounts in other worlds.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-653 - Improper isolation or compartmentalization
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T14:32:27.722668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T14:33:34.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"repo": "https://github.com/venueless/venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "02b9cbe5",
"status": "affected",
"version": "0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
}
],
"value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper isolation or compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-05T12:36:27.278Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "API allows deletion of users of other instance",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-5599",
"datePublished": "2026-04-05T12:36:27.278Z",
"dateReserved": "2026-04-05T12:25:52.821Z",
"dateUpdated": "2026-04-06T14:33:34.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4982 (GCVE-0-2026-4982)
Vulnerability from nvd – Published: 2026-03-27 12:32 – Updated: 2026-03-27 19:39
VLAI
Title
Unauthorized access to chat contents
Summary
A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.
The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:23:52.214430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:39:20.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.27.e20083a",
"status": "affected",
"version": "0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\u003cbr\u003e\u003cbr\u003eThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
}
],
"value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\n\nThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T12:32:41.164Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthorized access to chat contents",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-4982",
"datePublished": "2026-03-27T12:32:41.164Z",
"dateReserved": "2026-03-27T12:15:15.436Z",
"dateUpdated": "2026-03-27T19:39:20.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13350 (GCVE-0-2026-13350)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:05 – Updated: 2026-06-25 18:15
VLAI
Summary
Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T18:15:06.143068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:15:25.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "0a35457f",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
}
],
"value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:05:11.500Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-hj6j-wpgc-qrp5"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13350",
"datePublished": "2026-06-25T16:05:11.500Z",
"dateReserved": "2026-06-25T16:01:43.504Z",
"dateUpdated": "2026-06-25T18:15:25.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12863 (GCVE-0-2026-12863)
Vulnerability from cvelistv5 – Published: 2026-06-22 08:41 – Updated: 2026-06-23 11:54
VLAI
Title
Open redirect
Summary
An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL redirection to untrusted site ('open redirect')
Assigner
References
1 reference
Impacted products
Date Public
2026-06-22 08:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T10:27:00.898005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T10:27:10.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "d27864a7",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kuturu Rajesh"
}
],
"datePublic": "2026-06-22T08:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
}
],
"value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T11:54:38.277Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-m87f-7c4r-w4p3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Open redirect",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-12863",
"datePublished": "2026-06-22T08:41:33.126Z",
"dateReserved": "2026-06-22T08:17:20.587Z",
"dateUpdated": "2026-06-23T11:54:38.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12862 (GCVE-0-2026-12862)
Vulnerability from cvelistv5 – Published: 2026-06-22 08:26 – Updated: 2026-06-22 12:23
VLAI
Title
XLSX formula injection in exports
Summary
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-148 - Improper neutralization of input leaders
Assigner
References
1 reference
Impacted products
Date Public
2026-06-22 08:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T12:23:08.251405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T12:23:13.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "0a35457f",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"datePublic": "2026-06-22T08:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
}
],
"value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-148",
"description": "CWE-148 Improper neutralization of input leaders",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T08:26:10.365Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XLSX formula injection in exports",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-12862",
"datePublished": "2026-06-22T08:26:10.365Z",
"dateReserved": "2026-06-22T08:16:55.107Z",
"dateUpdated": "2026-06-22T12:23:13.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5599 (GCVE-0-2026-5599)
Vulnerability from cvelistv5 – Published: 2026-04-05 12:36 – Updated: 2026-04-06 14:33
VLAI
Title
API allows deletion of users of other instance
Summary
A user with API access and "manage users" permission in any venueless
world is able to trigger deletion of user accounts in other worlds.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-653 - Improper isolation or compartmentalization
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T14:32:27.722668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T14:33:34.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"repo": "https://github.com/venueless/venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "02b9cbe5",
"status": "affected",
"version": "0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
}
],
"value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper isolation or compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-05T12:36:27.278Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "API allows deletion of users of other instance",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-5599",
"datePublished": "2026-04-05T12:36:27.278Z",
"dateReserved": "2026-04-05T12:25:52.821Z",
"dateUpdated": "2026-04-06T14:33:34.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4982 (GCVE-0-2026-4982)
Vulnerability from cvelistv5 – Published: 2026-03-27 12:32 – Updated: 2026-03-27 19:39
VLAI
Title
Unauthorized access to chat contents
Summary
A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.
The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:23:52.214430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:39:20.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.27.e20083a",
"status": "affected",
"version": "0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\u003cbr\u003e\u003cbr\u003eThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
}
],
"value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\n\nThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T12:32:41.164Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthorized access to chat contents",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-4982",
"datePublished": "2026-03-27T12:32:41.164Z",
"dateReserved": "2026-03-27T12:15:15.436Z",
"dateUpdated": "2026-03-27T19:39:20.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}