Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for Venueless by pretix

    CVE-2026-13350 (GCVE-0-2026-13350)

    Vulnerability from nvd – Published: 2026-06-25 16:05 – Updated: 2026-06-25 18:15
    VLAI
    Summary
    Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization bypass through User-Controlled key
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < 0a35457f (git)
    Create a notification for this product.
    Credits
    Rokkam Vamshi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13350",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:15:06.143068Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:15:25.953Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "0a35457f",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rokkam Vamshi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
                }
              ],
              "value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through User-Controlled key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T16:05:11.500Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-hj6j-wpgc-qrp5"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13350",
        "datePublished": "2026-06-25T16:05:11.500Z",
        "dateReserved": "2026-06-25T16:01:43.504Z",
        "dateUpdated": "2026-06-25T18:15:25.953Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12863 (GCVE-0-2026-12863)

    Vulnerability from nvd – Published: 2026-06-22 08:41 – Updated: 2026-06-23 11:54
    VLAI
    Title
    Open redirect
    Summary
    An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL redirection to untrusted site ('open redirect')
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < d27864a7 (git)
    Create a notification for this product.
    Date Public
    2026-06-22 08:18
    Credits
    Kuturu Rajesh
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12863",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T10:27:00.898005Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T10:27:10.247Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "d27864a7",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kuturu Rajesh"
            }
          ],
          "datePublic": "2026-06-22T08:18:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
                }
              ],
              "value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T11:54:38.277Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-m87f-7c4r-w4p3"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Open redirect",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-12863",
        "datePublished": "2026-06-22T08:41:33.126Z",
        "dateReserved": "2026-06-22T08:17:20.587Z",
        "dateUpdated": "2026-06-23T11:54:38.277Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12862 (GCVE-0-2026-12862)

    Vulnerability from nvd – Published: 2026-06-22 08:26 – Updated: 2026-06-22 12:23
    VLAI
    Title
    XLSX formula injection in exports
    Summary
    Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-148 - Improper neutralization of input leaders
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < 0a35457f (git)
    Create a notification for this product.
    Date Public
    2026-06-22 08:18
    Credits
    Rokkam Vamshi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12862",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T12:23:08.251405Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T12:23:13.560Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "0a35457f",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rokkam Vamshi"
            }
          ],
          "datePublic": "2026-06-22T08:18:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
                }
              ],
              "value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-23",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-23 File Content Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-148",
                  "description": "CWE-148 Improper neutralization of input leaders",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T08:26:10.365Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "XLSX formula injection in exports",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-12862",
        "datePublished": "2026-06-22T08:26:10.365Z",
        "dateReserved": "2026-06-22T08:16:55.107Z",
        "dateUpdated": "2026-06-22T12:23:13.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5599 (GCVE-0-2026-5599)

    Vulnerability from nvd – Published: 2026-04-05 12:36 – Updated: 2026-04-06 14:33
    VLAI
    Title
    API allows deletion of users of other instance
    Summary
    A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-653 - Improper isolation or compartmentalization
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < 02b9cbe5 (custom)
    Create a notification for this product.
    Credits
    Pratik Karan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5599",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-06T14:32:27.722668Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-06T14:33:34.105Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "repo": "https://github.com/venueless/venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "02b9cbe5",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pratik Karan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
                }
              ],
              "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-653",
                  "description": "CWE-653 Improper isolation or compartmentalization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-05T12:36:27.278Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "API allows deletion of users of other instance",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-5599",
        "datePublished": "2026-04-05T12:36:27.278Z",
        "dateReserved": "2026-04-05T12:25:52.821Z",
        "dateUpdated": "2026-04-06T14:33:34.105Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4982 (GCVE-0-2026-4982)

    Vulnerability from nvd – Published: 2026-03-27 12:32 – Updated: 2026-03-27 19:39
    VLAI
    Title
    Unauthorized access to chat contents
    Summary
    A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature. The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < 2026.3.27.e20083a (custom)
    Create a notification for this product.
    Credits
    Pratik Karan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4982",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-27T19:23:52.214430Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-27T19:39:20.014Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.27.e20083a",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pratik Karan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\u003cbr\u003e\u003cbr\u003eThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
                }
              ],
              "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\n\nThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-21",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-21 Exploitation of Trusted Identifiers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-27T12:32:41.164Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unauthorized access to chat contents",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-4982",
        "datePublished": "2026-03-27T12:32:41.164Z",
        "dateReserved": "2026-03-27T12:15:15.436Z",
        "dateUpdated": "2026-03-27T19:39:20.014Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13350 (GCVE-0-2026-13350)

    Vulnerability from cvelistv5 – Published: 2026-06-25 16:05 – Updated: 2026-06-25 18:15
    VLAI
    Summary
    Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization bypass through User-Controlled key
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < 0a35457f (git)
    Create a notification for this product.
    Credits
    Rokkam Vamshi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13350",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T18:15:06.143068Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T18:15:25.953Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "0a35457f",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rokkam Vamshi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
                }
              ],
              "value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through User-Controlled key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T16:05:11.500Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-hj6j-wpgc-qrp5"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13350",
        "datePublished": "2026-06-25T16:05:11.500Z",
        "dateReserved": "2026-06-25T16:01:43.504Z",
        "dateUpdated": "2026-06-25T18:15:25.953Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12863 (GCVE-0-2026-12863)

    Vulnerability from cvelistv5 – Published: 2026-06-22 08:41 – Updated: 2026-06-23 11:54
    VLAI
    Title
    Open redirect
    Summary
    An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL redirection to untrusted site ('open redirect')
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < d27864a7 (git)
    Create a notification for this product.
    Date Public
    2026-06-22 08:18
    Credits
    Kuturu Rajesh
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12863",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T10:27:00.898005Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T10:27:10.247Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "d27864a7",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kuturu Rajesh"
            }
          ],
          "datePublic": "2026-06-22T08:18:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
                }
              ],
              "value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T11:54:38.277Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-m87f-7c4r-w4p3"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Open redirect",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-12863",
        "datePublished": "2026-06-22T08:41:33.126Z",
        "dateReserved": "2026-06-22T08:17:20.587Z",
        "dateUpdated": "2026-06-23T11:54:38.277Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12862 (GCVE-0-2026-12862)

    Vulnerability from cvelistv5 – Published: 2026-06-22 08:26 – Updated: 2026-06-22 12:23
    VLAI
    Title
    XLSX formula injection in exports
    Summary
    Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-148 - Improper neutralization of input leaders
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < 0a35457f (git)
    Create a notification for this product.
    Date Public
    2026-06-22 08:18
    Credits
    Rokkam Vamshi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12862",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T12:23:08.251405Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T12:23:13.560Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "0a35457f",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rokkam Vamshi"
            }
          ],
          "datePublic": "2026-06-22T08:18:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
                }
              ],
              "value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-23",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-23 File Content Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-148",
                  "description": "CWE-148 Improper neutralization of input leaders",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T08:26:10.365Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "XLSX formula injection in exports",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-12862",
        "datePublished": "2026-06-22T08:26:10.365Z",
        "dateReserved": "2026-06-22T08:16:55.107Z",
        "dateUpdated": "2026-06-22T12:23:13.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5599 (GCVE-0-2026-5599)

    Vulnerability from cvelistv5 – Published: 2026-04-05 12:36 – Updated: 2026-04-06 14:33
    VLAI
    Title
    API allows deletion of users of other instance
    Summary
    A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-653 - Improper isolation or compartmentalization
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < 02b9cbe5 (custom)
    Create a notification for this product.
    Credits
    Pratik Karan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5599",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-06T14:32:27.722668Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-06T14:33:34.105Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "repo": "https://github.com/venueless/venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "02b9cbe5",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pratik Karan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
                }
              ],
              "value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-653",
                  "description": "CWE-653 Improper isolation or compartmentalization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-05T12:36:27.278Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "API allows deletion of users of other instance",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-5599",
        "datePublished": "2026-04-05T12:36:27.278Z",
        "dateReserved": "2026-04-05T12:25:52.821Z",
        "dateUpdated": "2026-04-06T14:33:34.105Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4982 (GCVE-0-2026-4982)

    Vulnerability from cvelistv5 – Published: 2026-03-27 12:32 – Updated: 2026-03-27 19:39
    VLAI
    Title
    Unauthorized access to chat contents
    Summary
    A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature. The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    Impacted products
    Vendor Product Version
    pretix Venueless Affected: 0.0.0 , < 2026.3.27.e20083a (custom)
    Create a notification for this product.
    Credits
    Pratik Karan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4982",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-27T19:23:52.214430Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-27T19:39:20.014Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Venueless",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.27.e20083a",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pratik Karan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\u003cbr\u003e\u003cbr\u003eThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
                }
              ],
              "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\n\nThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-21",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-21 Exploitation of Trusted Identifiers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-27T12:32:41.164Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unauthorized access to chat contents",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-4982",
        "datePublished": "2026-03-27T12:32:41.164Z",
        "dateReserved": "2026-03-27T12:15:15.436Z",
        "dateUpdated": "2026-03-27T19:39:20.014Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }