Search
Find a vulnerability
Search criteria
30 vulnerabilities found for pretix by pretix
CVE-2026-13602 (GCVE-0-2026-13602)
Vulnerability from nvd – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
VLAI
Title
Session takeover vulnerability
Summary
We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:
*
The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay
contain a code path that is intended for the transport of session
parameters from a tab with isolated cookies (e.g. in the pretix widget)
to a new tab. For this purpose, a set of session parameters is
cryptographically signed and then passed to the new tab as a URL
parameter. The plugins perform no further validation of the session
parameters, other than the cryptographic signature being valid. This is
fixed with the releases issued today by strictly validating that no
session parameters outside of the scope of the respective plugin may be
set.
*
An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer
headers for outgoing links to prevent leakage of secrets in URLs. This
redirect page also requires cryptographically signed parameters.
Unfortunately, it uses the same key and salt for the signature as the
previously mentioned feature in the payment integration plugins. A
motivated attacker with access to at least one event in the backend can
trick the system into cryptographically signing arbitrary content using
specially crafted links. In combination with the previous issue, the
attacker could use this to set and modify arbitrary parameters on their
user session by injecting the signed parameters into the feature of the
payment providers. This is fixed with the releases issued today by using
different salts for the signature for each plugin and feature.
*
A third, unrelated feature in the core system is used for admin users
to act on behalf of another user, mostly for debugging purposes. With
being able to insert arbitrary parameters into a session, an attacker
can abuse this feature to change their session from their actual user to
any user in the system by guessing a valid user ID. This is fixed with
the release today by requiring unguessable information to be contained
in the session of the user to switch to.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260701-release-… | vendor-advisory |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| pretix | pretix |
Affected:
4.14.0 , < 2026.3.5
(python)
Affected: 2026.4.0 , < 2026.4.5 (python) Affected: 2026.5.0 , < 2026.5.3 (python) |
|
| pretix | pretix-mollie |
Affected:
0 , < 2.5.7
(python)
|
|
| pretix | pretix-oppwa |
Affected:
0 , < 1.4.4
(python)
|
|
| pretix | pretix-bitpay |
Affected:
0 , < 1.5.3
(python)
|
|
| pretix | pretix-payone |
Affected:
0 , < 1.4.3
(python)
|
|
| pretix | pretix-secuconnect |
Affected:
0 , < 1.0.4
(python)
|
|
| pretix | pretix-sofort |
Affected:
0 , < 1.4.2
(python)
|
|
| pretix | pretix-saferpay |
Affected:
0 , < 1.6.3
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:26:54.400278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:27:00.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.5",
"status": "affected",
"version": "4.14.0",
"versionType": "python"
},
{
"lessThan": "2026.4.5",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.3",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-mollie",
"product": "pretix-mollie",
"repo": "https://github.com/pretix/pretix-mollie",
"vendor": "pretix",
"versions": [
{
"lessThan": "2.5.7",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-oppwa",
"product": "pretix-oppwa",
"repo": "https://github.com/pretix/pretix-oppwa",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-bitpay",
"product": "pretix-bitpay",
"repo": "https://github.com/pretix/pretix-bitpay",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-payone",
"product": "pretix-payone",
"repo": "https://github.com/pretix/pretix-payone",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-secuconnect",
"product": "pretix-secuconnect",
"repo": "https://github.com/pretix/pretix-secuconnect",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-sofort",
"product": "pretix-sofort",
"repo": "https://github.com/pretix/pretix-sofort",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-saferpay",
"product": "pretix-saferpay",
"repo": "https://github.com/pretix/pretix-saferpay",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.6.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n * \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n * \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n * \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323 Reusing a nonce, key pair in encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:45:30.615Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
}
],
"title": "Session takeover vulnerability",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
}
],
"value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13602",
"datePublished": "2026-07-01T13:45:30.615Z",
"dateReserved": "2026-06-29T08:26:50.725Z",
"dateUpdated": "2026-07-01T15:27:00.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57535 (GCVE-0-2026-57535)
Vulnerability from nvd – Published: 2026-06-25 14:29 – Updated: 2026-06-25 15:10
VLAI
Summary
Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src
attribute of these images pointed to an URL, the PDF rendering engine
would download the image from that place and display it, thereby leaking
information about the rendering server and possibly creating an SSRF
vector in the local network.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:10:42.511872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:10:48.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tags. If the \u003ccode\u003esrc\u003c/code\u003e\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
}
],
"value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003cimg\u003e tags. If the src\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:32:51.282Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57535",
"datePublished": "2026-06-25T14:29:18.531Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:10:48.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57533 (GCVE-0-2026-57533)
Vulnerability from nvd – Published: 2026-06-25 14:31 – Updated: 2026-06-25 15:05
VLAI
Summary
Malicious HTML content could be injected into the page pretix shows when
redirection to an untrusted page occurs. Since this page has a
Content-Security-Policy, this can mainly be used for phishing purposes.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57533",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:05:08.728267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:05:14.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Haxset"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
}
],
"value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:31:18.968Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57533",
"datePublished": "2026-06-25T14:31:18.968Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:05:14.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57532 (GCVE-0-2026-57532)
Vulnerability from nvd – Published: 2026-06-25 14:32 – Updated: 2026-06-25 15:04
VLAI
Summary
Malicious HTML content contained in the layout specification of a PDF
ticket or badge layout was executed when the PDF editor is opened in the
browser. This could allow one backend user to inject JavaScript into
the browser context of another backend user. Due to requirements of the
PDF rendering and editing libraries used, this is one of the few pages
in our backend that do not have a strong Content-Security-Policy that
would render this capability useless for most scenarios.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:04:18.329787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:04:24.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
}
],
"value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:32:37.967Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57532",
"datePublished": "2026-06-25T14:32:37.967Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:04:24.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13225 (GCVE-0-2026-13225)
Vulnerability from nvd – Published: 2026-06-25 14:26 – Updated: 2026-06-25 15:11
VLAI
Title
Stored XSS in ticket confirmation page
Summary
Malicious HTML content could be injected into the email address of an
order, which pretix showed without sanitization on the confirmation page
for individual tickets in that order.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:11:06.802643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:11:12.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
}
],
"value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:26:31.972Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"title": "Stored XSS in ticket confirmation page",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13225",
"datePublished": "2026-06-25T14:26:31.972Z",
"dateReserved": "2026-06-24T16:14:10.932Z",
"dateUpdated": "2026-06-25T15:11:12.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11764 (GCVE-0-2026-11764)
Vulnerability from nvd – Published: 2026-06-09 11:54 – Updated: 2026-06-09 13:49
VLAI
Title
Data exposed without proper permission
Summary
When creating an export of all reusable media, the secrets of connected
gift cards were included in the export even if the user creating the
export does not have permission to view gift cards. This is inconsistent
with the UI and API where only the first letters of the gift card
secret are shown. Therefore, it allows circumventing a permission
boundary.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-280 - Improper handling of insufficient permissions or privileges
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260609-release-… | vendor-advisory |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:49:30.786909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:49:42.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.0",
"status": "affected",
"version": "2024.1.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.3",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.3",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.5.1",
"status": "unaffected"
}
],
"lessThan": "2026.6.0",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mr. JDH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary.\u003c/p\u003e"
}
],
"value": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.6,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper handling of insufficient permissions or privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T11:54:37.865Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Data exposed without proper permission",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-11764",
"datePublished": "2026-06-09T11:54:37.865Z",
"dateReserved": "2026-06-09T08:08:24.188Z",
"dateUpdated": "2026-06-09T13:49:42.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9712 (GCVE-0-2026-9712)
Vulnerability from nvd – Published: 2026-05-27 14:35 – Updated: 2026-05-28 15:39
VLAI
Title
Insecure direct object reference
Summary
When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal use or download.
One remaining API endpoint, however, wrongfully did not verify if the
UUID used for download actually belongs to a file that is supposed to
be downloadable and belongs to the correct user. In reality, this is
hard to exploit because an attacker would need to have access to a valid
UUID for the file they desire which is unlikely to happen without a
separate security problem giving them access to logs etc.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260527-release-… | vendor-advisory |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T15:39:22.313424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:39:28.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.2.0",
"status": "affected",
"version": "2024.10.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.2.2",
"status": "unaffected"
}
],
"lessThan": "2026.3.0",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.2",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.2",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deepjyoti Roy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\u003c/p\u003e\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.\u003c/p\u003e"
}
],
"value": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:35:58.857Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-9712",
"datePublished": "2026-05-27T14:35:58.857Z",
"dateReserved": "2026-05-27T14:18:33.470Z",
"dateUpdated": "2026-05-28T15:39:28.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5600 (GCVE-0-2026-5600)
Vulnerability from nvd – Published: 2026-04-08 12:24 – Updated: 2026-04-08 16:03
VLAI
Summary
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
}
An unauthorized user usually has no way to match these IDs (position) back to individual people.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-653 - Improper isolation or compartmentalization
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T16:02:54.453740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:03:07.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.1.2",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
},
{
"lessThan": "2026.2.1",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"lessThan": "2026.3.1",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\u003c/p\u003e\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e"
}
],
"value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "auth"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper isolation or compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T12:24:51.602Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-5600",
"datePublished": "2026-04-08T12:24:51.602Z",
"dateReserved": "2026-04-05T12:25:54.058Z",
"dateUpdated": "2026-04-08T16:03:07.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2452 (GCVE-0-2026-2452)
Vulnerability from nvd – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for this plugin.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260216-release-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pretix | pretix-newsletter |
Affected:
1.0.0 , < 2.0.0
(python)
Affected: 2.0.0 , < 2.0.1 (python) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:10.295791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:21.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://marketplace.pretix.eu/",
"defaultStatus": "unaffected",
"packageName": "pretix-newsletter",
"product": "pretix-newsletter",
"vendor": "pretix",
"versions": [
{
"changes": [
{
"at": "1.6.3",
"status": "unaffected"
}
],
"lessThan": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"lessThan": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:16:22.027Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2452",
"datePublished": "2026-02-16T10:16:22.027Z",
"dateReserved": "2026-02-13T09:57:35.371Z",
"dateUpdated": "2026-02-17T17:06:21.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2451 (GCVE-0-2026-2451)
Vulnerability from nvd – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for this plugin.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg file.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260216-release-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pretix | pretix-doistep |
Affected:
1.0.0 , < 1.3.2
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:11.539670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:30.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://marketplace.pretix.eu/",
"defaultStatus": "unaffected",
"packageName": "pretix-doistep",
"product": "pretix-doistep",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:16:05.423Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2451",
"datePublished": "2026-02-16T10:16:05.423Z",
"dateReserved": "2026-02-13T09:57:34.221Z",
"dateUpdated": "2026-02-17T17:06:30.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2415 (GCVE-0-2026-2415)
Vulnerability from nvd – Published: 2026-02-16 10:15 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained two security-relevant
bugs:
*
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for the email subject.
*
Placeholders in subjects and plain text bodies of emails were
wrongfully evaluated twice. Therefore, if the first evaluation of a
placeholder again contains a placeholder, this second placeholder was
rendered. This allows the rendering of placeholders controlled by the
ticket buyer, and therefore the exploitation of the first issue as a
ticket buyer. Luckily, the only buyer-controlled placeholder available
in pretix by default (that is not validated in a way that prevents the
issue) is {invoice_company}, which is very unusual (but not
impossible) to be contained in an email subject template. In addition
to broadening the attack surface of the first issue, this could
theoretically also leak information about an order to one of the
attendees within that order. However, we also consider this scenario
very unlikely under typical conditions.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260216-release-… | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:12.852157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:39.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.9.0",
"status": "affected",
"version": "4.16.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.4",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.10.2",
"status": "unaffected"
}
],
"lessThan": "2026.1.0",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
},
{
"lessThan": "2026.1.1",
"status": "affected",
"version": "2026.1.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is \u003ccode\u003e{invoice_company}\u003c/code\u003e, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\n\n\n\n * \nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\n\n\n\n\n * \nPlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is {invoice_company}, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\n\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:15:09.149Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2415",
"datePublished": "2026-02-16T10:15:09.149Z",
"dateReserved": "2026-02-12T17:02:46.966Z",
"dateUpdated": "2026-02-17T17:06:39.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14881 (GCVE-0-2025-14881)
Vulnerability from nvd – Published: 2025-12-19 12:24 – Updated: 2025-12-19 12:58
VLAI
Title
Insecure direct object reference
Summary
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20251218-release-… | vendor-advisory |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T12:58:00.895498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T12:58:15.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.8.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.8.3",
"status": "unaffected"
}
],
"lessThan": "2025.9.0",
"status": "affected",
"version": "2025.8.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.3",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.10.1",
"status": "unaffected"
}
],
"lessThan": "2025.11.0",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deniz Parlak (https://github.com/DenizParlak)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
}
],
"value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T12:24:10.523Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20251218-release-2025-10-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2025-14881",
"datePublished": "2025-12-19T12:24:10.523Z",
"dateReserved": "2025-12-18T11:48:11.819Z",
"dateUpdated": "2025-12-19T12:58:15.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13742 (GCVE-0-2025-13742)
Vulnerability from nvd – Published: 2025-11-27 11:04 – Updated: 2025-11-28 15:22
VLAI
Title
Limited HTML injection in emails
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Limited HTML injection in emails
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20251126-release-… | vendor-advisory |
Impacted products
Date Public
2025-11-27 11:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:20:23.125472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:22:05.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.7.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.7.2",
"status": "unaffected"
}
],
"lessThan": "2025.8.0",
"status": "affected",
"version": "2025.7.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.8.1",
"status": "unaffected"
}
],
"lessThan": "2025.9.0",
"status": "affected",
"version": "2025.8.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.1",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jan Roring (binsec GmbH)"
}
],
"datePublic": "2025-11-27T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
}
],
"impacts": [
{
"capecId": "CAPEC-134",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-134 Email Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.4,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:L/SA:L/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Limited HTML injection in emails",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T11:04:36.990Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20251126-release-2025-9-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Limited HTML injection in emails",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2025-13742",
"datePublished": "2025-11-27T11:04:36.990Z",
"dateReserved": "2025-11-26T14:01:07.019Z",
"dateUpdated": "2025-11-28T15:22:05.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8113 (GCVE-0-2024-8113)
Vulnerability from nvd – Published: 2024-08-23 14:18 – Updated: 2024-08-30 18:40
VLAI
Title
Stored XSS in Placeholder Samples in Mail Preview
Summary
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20240823-release-… | release-notes |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:23:56.592210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:40:02.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"changes": [
{
"at": "2024.4.1",
"status": "unaffected"
},
{
"at": "2024.5.1",
"status": "unaffected"
},
{
"at": "2024.6.1",
"status": "unaffected"
},
{
"at": "2024.7.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2024.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible.\u003cbr\u003e"
}
],
"value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.\u003cbr\u003e"
}
],
"value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No known exploits.\u003cbr\u003e"
}
],
"value": "No known exploits."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T14:24:05.228Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://pretix.eu/about/en/blog/20240823-release-2024-7-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stored XSS in Placeholder Samples in Mail Preview",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2024-8113",
"datePublished": "2024-08-23T14:18:05.416Z",
"dateReserved": "2024-08-23T08:52:05.098Z",
"dateUpdated": "2024-08-30T18:40:02.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27447 (GCVE-0-2024-27447)
Vulnerability from nvd – Published: 2024-02-26 00:00 – Updated: 2024-08-05 15:16
VLAI
Summary
pretix before 2024.1.1 mishandles file validation.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:34:52.146Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rami:pretix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pretix",
"vendor": "rami",
"versions": [
{
"lessThan": "2024.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T14:46:15.905298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T15:16:33.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pretix before 2024.1.1 mishandles file validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-26T05:07:58.183Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-27447",
"datePublished": "2024-02-26T00:00:00.000Z",
"dateReserved": "2024-02-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T15:16:33.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-13602 (GCVE-0-2026-13602)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
VLAI
Title
Session takeover vulnerability
Summary
We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:
*
The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay
contain a code path that is intended for the transport of session
parameters from a tab with isolated cookies (e.g. in the pretix widget)
to a new tab. For this purpose, a set of session parameters is
cryptographically signed and then passed to the new tab as a URL
parameter. The plugins perform no further validation of the session
parameters, other than the cryptographic signature being valid. This is
fixed with the releases issued today by strictly validating that no
session parameters outside of the scope of the respective plugin may be
set.
*
An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer
headers for outgoing links to prevent leakage of secrets in URLs. This
redirect page also requires cryptographically signed parameters.
Unfortunately, it uses the same key and salt for the signature as the
previously mentioned feature in the payment integration plugins. A
motivated attacker with access to at least one event in the backend can
trick the system into cryptographically signing arbitrary content using
specially crafted links. In combination with the previous issue, the
attacker could use this to set and modify arbitrary parameters on their
user session by injecting the signed parameters into the feature of the
payment providers. This is fixed with the releases issued today by using
different salts for the signature for each plugin and feature.
*
A third, unrelated feature in the core system is used for admin users
to act on behalf of another user, mostly for debugging purposes. With
being able to insert arbitrary parameters into a session, an attacker
can abuse this feature to change their session from their actual user to
any user in the system by guessing a valid user ID. This is fixed with
the release today by requiring unguessable information to be contained
in the session of the user to switch to.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260701-release-… | vendor-advisory |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| pretix | pretix |
Affected:
4.14.0 , < 2026.3.5
(python)
Affected: 2026.4.0 , < 2026.4.5 (python) Affected: 2026.5.0 , < 2026.5.3 (python) |
|
| pretix | pretix-mollie |
Affected:
0 , < 2.5.7
(python)
|
|
| pretix | pretix-oppwa |
Affected:
0 , < 1.4.4
(python)
|
|
| pretix | pretix-bitpay |
Affected:
0 , < 1.5.3
(python)
|
|
| pretix | pretix-payone |
Affected:
0 , < 1.4.3
(python)
|
|
| pretix | pretix-secuconnect |
Affected:
0 , < 1.0.4
(python)
|
|
| pretix | pretix-sofort |
Affected:
0 , < 1.4.2
(python)
|
|
| pretix | pretix-saferpay |
Affected:
0 , < 1.6.3
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:26:54.400278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:27:00.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.5",
"status": "affected",
"version": "4.14.0",
"versionType": "python"
},
{
"lessThan": "2026.4.5",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.3",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-mollie",
"product": "pretix-mollie",
"repo": "https://github.com/pretix/pretix-mollie",
"vendor": "pretix",
"versions": [
{
"lessThan": "2.5.7",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-oppwa",
"product": "pretix-oppwa",
"repo": "https://github.com/pretix/pretix-oppwa",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-bitpay",
"product": "pretix-bitpay",
"repo": "https://github.com/pretix/pretix-bitpay",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-payone",
"product": "pretix-payone",
"repo": "https://github.com/pretix/pretix-payone",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-secuconnect",
"product": "pretix-secuconnect",
"repo": "https://github.com/pretix/pretix-secuconnect",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-sofort",
"product": "pretix-sofort",
"repo": "https://github.com/pretix/pretix-sofort",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-saferpay",
"product": "pretix-saferpay",
"repo": "https://github.com/pretix/pretix-saferpay",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.6.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n * \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n * \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n * \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323 Reusing a nonce, key pair in encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:45:30.615Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
}
],
"title": "Session takeover vulnerability",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
}
],
"value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13602",
"datePublished": "2026-07-01T13:45:30.615Z",
"dateReserved": "2026-06-29T08:26:50.725Z",
"dateUpdated": "2026-07-01T15:27:00.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57532 (GCVE-0-2026-57532)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:32 – Updated: 2026-06-25 15:04
VLAI
Summary
Malicious HTML content contained in the layout specification of a PDF
ticket or badge layout was executed when the PDF editor is opened in the
browser. This could allow one backend user to inject JavaScript into
the browser context of another backend user. Due to requirements of the
PDF rendering and editing libraries used, this is one of the few pages
in our backend that do not have a strong Content-Security-Policy that
would render this capability useless for most scenarios.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:04:18.329787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:04:24.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
}
],
"value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:32:37.967Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57532",
"datePublished": "2026-06-25T14:32:37.967Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:04:24.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57533 (GCVE-0-2026-57533)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:31 – Updated: 2026-06-25 15:05
VLAI
Summary
Malicious HTML content could be injected into the page pretix shows when
redirection to an untrusted page occurs. Since this page has a
Content-Security-Policy, this can mainly be used for phishing purposes.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57533",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:05:08.728267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:05:14.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Haxset"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
}
],
"value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:31:18.968Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57533",
"datePublished": "2026-06-25T14:31:18.968Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:05:14.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57535 (GCVE-0-2026-57535)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:29 – Updated: 2026-06-25 15:10
VLAI
Summary
Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src
attribute of these images pointed to an URL, the PDF rendering engine
would download the image from that place and display it, thereby leaking
information about the rendering server and possibly creating an SSRF
vector in the local network.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:10:42.511872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:10:48.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tags. If the \u003ccode\u003esrc\u003c/code\u003e\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
}
],
"value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003cimg\u003e tags. If the src\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:32:51.282Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57535",
"datePublished": "2026-06-25T14:29:18.531Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:10:48.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13225 (GCVE-0-2026-13225)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:26 – Updated: 2026-06-25 15:11
VLAI
Title
Stored XSS in ticket confirmation page
Summary
Malicious HTML content could be injected into the email address of an
order, which pretix showed without sanitization on the confirmation page
for individual tickets in that order.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:11:06.802643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:11:12.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
}
],
"value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:26:31.972Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"title": "Stored XSS in ticket confirmation page",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13225",
"datePublished": "2026-06-25T14:26:31.972Z",
"dateReserved": "2026-06-24T16:14:10.932Z",
"dateUpdated": "2026-06-25T15:11:12.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11764 (GCVE-0-2026-11764)
Vulnerability from cvelistv5 – Published: 2026-06-09 11:54 – Updated: 2026-06-09 13:49
VLAI
Title
Data exposed without proper permission
Summary
When creating an export of all reusable media, the secrets of connected
gift cards were included in the export even if the user creating the
export does not have permission to view gift cards. This is inconsistent
with the UI and API where only the first letters of the gift card
secret are shown. Therefore, it allows circumventing a permission
boundary.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-280 - Improper handling of insufficient permissions or privileges
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260609-release-… | vendor-advisory |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:49:30.786909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:49:42.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.0",
"status": "affected",
"version": "2024.1.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.3",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.3",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.5.1",
"status": "unaffected"
}
],
"lessThan": "2026.6.0",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mr. JDH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary.\u003c/p\u003e"
}
],
"value": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.6,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper handling of insufficient permissions or privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T11:54:37.865Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Data exposed without proper permission",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-11764",
"datePublished": "2026-06-09T11:54:37.865Z",
"dateReserved": "2026-06-09T08:08:24.188Z",
"dateUpdated": "2026-06-09T13:49:42.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9712 (GCVE-0-2026-9712)
Vulnerability from cvelistv5 – Published: 2026-05-27 14:35 – Updated: 2026-05-28 15:39
VLAI
Title
Insecure direct object reference
Summary
When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal use or download.
One remaining API endpoint, however, wrongfully did not verify if the
UUID used for download actually belongs to a file that is supposed to
be downloadable and belongs to the correct user. In reality, this is
hard to exploit because an attacker would need to have access to a valid
UUID for the file they desire which is unlikely to happen without a
separate security problem giving them access to logs etc.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260527-release-… | vendor-advisory |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T15:39:22.313424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:39:28.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.2.0",
"status": "affected",
"version": "2024.10.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.2.2",
"status": "unaffected"
}
],
"lessThan": "2026.3.0",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.2",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.2",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deepjyoti Roy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\u003c/p\u003e\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.\u003c/p\u003e"
}
],
"value": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:35:58.857Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-9712",
"datePublished": "2026-05-27T14:35:58.857Z",
"dateReserved": "2026-05-27T14:18:33.470Z",
"dateUpdated": "2026-05-28T15:39:28.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5600 (GCVE-0-2026-5600)
Vulnerability from cvelistv5 – Published: 2026-04-08 12:24 – Updated: 2026-04-08 16:03
VLAI
Summary
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
}
An unauthorized user usually has no way to match these IDs (position) back to individual people.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-653 - Improper isolation or compartmentalization
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T16:02:54.453740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:03:07.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.1.2",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
},
{
"lessThan": "2026.2.1",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"lessThan": "2026.3.1",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\u003c/p\u003e\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e"
}
],
"value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "auth"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper isolation or compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T12:24:51.602Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-5600",
"datePublished": "2026-04-08T12:24:51.602Z",
"dateReserved": "2026-04-05T12:25:54.058Z",
"dateUpdated": "2026-04-08T16:03:07.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2452 (GCVE-0-2026-2452)
Vulnerability from cvelistv5 – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for this plugin.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260216-release-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pretix | pretix-newsletter |
Affected:
1.0.0 , < 2.0.0
(python)
Affected: 2.0.0 , < 2.0.1 (python) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:10.295791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:21.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://marketplace.pretix.eu/",
"defaultStatus": "unaffected",
"packageName": "pretix-newsletter",
"product": "pretix-newsletter",
"vendor": "pretix",
"versions": [
{
"changes": [
{
"at": "1.6.3",
"status": "unaffected"
}
],
"lessThan": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"lessThan": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:16:22.027Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2452",
"datePublished": "2026-02-16T10:16:22.027Z",
"dateReserved": "2026-02-13T09:57:35.371Z",
"dateUpdated": "2026-02-17T17:06:21.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2451 (GCVE-0-2026-2451)
Vulnerability from cvelistv5 – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for this plugin.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg file.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260216-release-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pretix | pretix-doistep |
Affected:
1.0.0 , < 1.3.2
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:11.539670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:30.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://marketplace.pretix.eu/",
"defaultStatus": "unaffected",
"packageName": "pretix-doistep",
"product": "pretix-doistep",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:16:05.423Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2451",
"datePublished": "2026-02-16T10:16:05.423Z",
"dateReserved": "2026-02-13T09:57:34.221Z",
"dateUpdated": "2026-02-17T17:06:30.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2415 (GCVE-0-2026-2415)
Vulnerability from cvelistv5 – Published: 2026-02-16 10:15 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained two security-relevant
bugs:
*
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for the email subject.
*
Placeholders in subjects and plain text bodies of emails were
wrongfully evaluated twice. Therefore, if the first evaluation of a
placeholder again contains a placeholder, this second placeholder was
rendered. This allows the rendering of placeholders controlled by the
ticket buyer, and therefore the exploitation of the first issue as a
ticket buyer. Luckily, the only buyer-controlled placeholder available
in pretix by default (that is not validated in a way that prevents the
issue) is {invoice_company}, which is very unusual (but not
impossible) to be contained in an email subject template. In addition
to broadening the attack surface of the first issue, this could
theoretically also leak information about an order to one of the
attendees within that order. However, we also consider this scenario
very unlikely under typical conditions.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260216-release-… | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:12.852157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:39.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.9.0",
"status": "affected",
"version": "4.16.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.4",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.10.2",
"status": "unaffected"
}
],
"lessThan": "2026.1.0",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
},
{
"lessThan": "2026.1.1",
"status": "affected",
"version": "2026.1.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is \u003ccode\u003e{invoice_company}\u003c/code\u003e, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\n\n\n\n * \nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\n\n\n\n\n * \nPlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is {invoice_company}, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\n\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:15:09.149Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2415",
"datePublished": "2026-02-16T10:15:09.149Z",
"dateReserved": "2026-02-12T17:02:46.966Z",
"dateUpdated": "2026-02-17T17:06:39.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14881 (GCVE-0-2025-14881)
Vulnerability from cvelistv5 – Published: 2025-12-19 12:24 – Updated: 2025-12-19 12:58
VLAI
Title
Insecure direct object reference
Summary
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20251218-release-… | vendor-advisory |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T12:58:00.895498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T12:58:15.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.8.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.8.3",
"status": "unaffected"
}
],
"lessThan": "2025.9.0",
"status": "affected",
"version": "2025.8.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.3",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.10.1",
"status": "unaffected"
}
],
"lessThan": "2025.11.0",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deniz Parlak (https://github.com/DenizParlak)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
}
],
"value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T12:24:10.523Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20251218-release-2025-10-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2025-14881",
"datePublished": "2025-12-19T12:24:10.523Z",
"dateReserved": "2025-12-18T11:48:11.819Z",
"dateUpdated": "2025-12-19T12:58:15.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13742 (GCVE-0-2025-13742)
Vulnerability from cvelistv5 – Published: 2025-11-27 11:04 – Updated: 2025-11-28 15:22
VLAI
Title
Limited HTML injection in emails
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Limited HTML injection in emails
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20251126-release-… | vendor-advisory |
Impacted products
Date Public
2025-11-27 11:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:20:23.125472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:22:05.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.7.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.7.2",
"status": "unaffected"
}
],
"lessThan": "2025.8.0",
"status": "affected",
"version": "2025.7.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.8.1",
"status": "unaffected"
}
],
"lessThan": "2025.9.0",
"status": "affected",
"version": "2025.8.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.1",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jan Roring (binsec GmbH)"
}
],
"datePublic": "2025-11-27T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
}
],
"impacts": [
{
"capecId": "CAPEC-134",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-134 Email Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.4,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:L/SA:L/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Limited HTML injection in emails",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T11:04:36.990Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20251126-release-2025-9-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Limited HTML injection in emails",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2025-13742",
"datePublished": "2025-11-27T11:04:36.990Z",
"dateReserved": "2025-11-26T14:01:07.019Z",
"dateUpdated": "2025-11-28T15:22:05.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8113 (GCVE-0-2024-8113)
Vulnerability from cvelistv5 – Published: 2024-08-23 14:18 – Updated: 2024-08-30 18:40
VLAI
Title
Stored XSS in Placeholder Samples in Mail Preview
Summary
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20240823-release-… | release-notes |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:23:56.592210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:40:02.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"changes": [
{
"at": "2024.4.1",
"status": "unaffected"
},
{
"at": "2024.5.1",
"status": "unaffected"
},
{
"at": "2024.6.1",
"status": "unaffected"
},
{
"at": "2024.7.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2024.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible.\u003cbr\u003e"
}
],
"value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.\u003cbr\u003e"
}
],
"value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No known exploits.\u003cbr\u003e"
}
],
"value": "No known exploits."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T14:24:05.228Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://pretix.eu/about/en/blog/20240823-release-2024-7-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stored XSS in Placeholder Samples in Mail Preview",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2024-8113",
"datePublished": "2024-08-23T14:18:05.416Z",
"dateReserved": "2024-08-23T08:52:05.098Z",
"dateUpdated": "2024-08-30T18:40:02.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27447 (GCVE-0-2024-27447)
Vulnerability from cvelistv5 – Published: 2024-02-26 00:00 – Updated: 2024-08-05 15:16
VLAI
Summary
pretix before 2024.1.1 mishandles file validation.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:34:52.146Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rami:pretix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pretix",
"vendor": "rami",
"versions": [
{
"lessThan": "2024.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T14:46:15.905298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T15:16:33.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pretix before 2024.1.1 mishandles file validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-26T05:07:58.183Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-27447",
"datePublished": "2024-02-26T00:00:00.000Z",
"dateReserved": "2024-02-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T15:16:33.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}