Search

Find a vulnerability

Search criteria

    30 vulnerabilities found for pretix by pretix

    CVE-2026-13602 (GCVE-0-2026-13602)

    Vulnerability from nvd – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
    VLAI
    Title
    Session takeover vulnerability
    Summary
    We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data: * The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay contain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set. * An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer headers for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature. * A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-323 - Reusing a nonce, key pair in encryption
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 4.14.0 , < 2026.3.5 (python)
    Affected: 2026.4.0 , < 2026.4.5 (python)
    Affected: 2026.5.0 , < 2026.5.3 (python)
    Create a notification for this product.
    pretix pretix-mollie Affected: 0 , < 2.5.7 (python)
    Create a notification for this product.
    pretix pretix-oppwa Affected: 0 , < 1.4.4 (python)
    Create a notification for this product.
    pretix pretix-bitpay Affected: 0 , < 1.5.3 (python)
    Create a notification for this product.
    pretix pretix-payone Affected: 0 , < 1.4.3 (python)
    Create a notification for this product.
    pretix pretix-secuconnect Affected: 0 , < 1.0.4 (python)
    Create a notification for this product.
    pretix pretix-sofort Affected: 0 , < 1.4.2 (python)
    Create a notification for this product.
    pretix pretix-saferpay Affected: 0 , < 1.6.3 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13602",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:26:54.400278Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:27:00.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.5",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.5",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.3",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-mollie",
              "product": "pretix-mollie",
              "repo": "https://github.com/pretix/pretix-mollie",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2.5.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppwa",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-bitpay",
              "product": "pretix-bitpay",
              "repo": "https://github.com/pretix/pretix-bitpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-payone",
              "product": "pretix-payone",
              "repo": "https://github.com/pretix/pretix-payone",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-secuconnect",
              "product": "pretix-secuconnect",
              "repo": "https://github.com/pretix/pretix-secuconnect",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-sofort",
              "product": "pretix-sofort",
              "repo": "https://github.com/pretix/pretix-sofort",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-saferpay",
              "product": "pretix-saferpay",
              "repo": "https://github.com/pretix/pretix-saferpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n  *  \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n  *  \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n  *  \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            },
            {
              "capecId": "CAPEC-61",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-61 Session Fixation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-323",
                  "description": "CWE-323 Reusing a nonce, key pair in encryption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:45:30.615Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
            }
          ],
          "title": "Session takeover vulnerability",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
                }
              ],
              "value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13602",
        "datePublished": "2026-07-01T13:45:30.615Z",
        "dateReserved": "2026-06-29T08:26:50.725Z",
        "dateUpdated": "2026-07-01T15:27:00.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57535 (GCVE-0-2026-57535)

    Vulnerability from nvd – Published: 2026-06-25 14:29 – Updated: 2026-06-25 15:10
    VLAI
    Summary
    Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server and possibly creating an SSRF vector in the local network.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , < 2026.3.4 (python)
    Affected: 2026.4.0 , < 2026.4.4 (python)
    Affected: 2026.5.0 , < 2026.5.2 (python)
    Create a notification for this product.
    Credits
    Rokkam Vamshi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57535",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:10:42.511872Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:10:48.584Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.4",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.2",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rokkam Vamshi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tags. If the \u003ccode\u003esrc\u003c/code\u003e\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
                }
              ],
              "value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003cimg\u003e tags. If the src\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:32:51.282Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-57535",
        "datePublished": "2026-06-25T14:29:18.531Z",
        "dateReserved": "2026-06-24T15:59:32.628Z",
        "dateUpdated": "2026-06-25T15:10:48.584Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57533 (GCVE-0-2026-57533)

    Vulnerability from nvd – Published: 2026-06-25 14:31 – Updated: 2026-06-25 15:05
    VLAI
    Summary
    Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , < 2026.3.4 (python)
    Affected: 2026.4.0 , < 2026.4.4 (python)
    Affected: 2026.5.0 , < 2026.5.2 (python)
    Create a notification for this product.
    Credits
    Haxset
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57533",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:05:08.728267Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:05:14.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.4",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.2",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Haxset"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
                }
              ],
              "value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-591 Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:31:18.968Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-57533",
        "datePublished": "2026-06-25T14:31:18.968Z",
        "dateReserved": "2026-06-24T15:59:32.628Z",
        "dateUpdated": "2026-06-25T15:05:14.046Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57532 (GCVE-0-2026-57532)

    Vulnerability from nvd – Published: 2026-06-25 14:32 – Updated: 2026-06-25 15:04
    VLAI
    Summary
    Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering and editing libraries used, this is one of the few pages in our backend that do not have a strong Content-Security-Policy that would render this capability useless for most scenarios.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , < 2026.3.4 (python)
    Affected: 2026.4.0 , < 2026.4.4 (python)
    Affected: 2026.5.0 , < 2026.5.2 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:04:18.329787Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:04:24.738Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.4",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.2",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
                }
              ],
              "value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:32:37.967Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-57532",
        "datePublished": "2026-06-25T14:32:37.967Z",
        "dateReserved": "2026-06-24T15:59:32.628Z",
        "dateUpdated": "2026-06-25T15:04:24.738Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13225 (GCVE-0-2026-13225)

    Vulnerability from nvd – Published: 2026-06-25 14:26 – Updated: 2026-06-25 15:11
    VLAI
    Title
    Stored XSS in ticket confirmation page
    Summary
    Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , < 2026.3.4 (python)
    Affected: 2026.4.0 , < 2026.4.4 (python)
    Affected: 2026.5.0 , < 2026.5.2 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13225",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:11:06.802643Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:11:12.132Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.4",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.2",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
                }
              ],
              "value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:26:31.972Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "title": "Stored XSS in ticket confirmation page",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13225",
        "datePublished": "2026-06-25T14:26:31.972Z",
        "dateReserved": "2026-06-24T16:14:10.932Z",
        "dateUpdated": "2026-06-25T15:11:12.132Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11764 (GCVE-0-2026-11764)

    Vulnerability from nvd – Published: 2026-06-09 11:54 – Updated: 2026-06-09 13:49
    VLAI
    Title
    Data exposed without proper permission
    Summary
    When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-280 - Improper handling of insufficient permissions or privileges
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 2024.1.0 , < 2026.3.0 (python)
    Affected: 2026.3.0 , < 2026.4.0 (python)
    Affected: 2026.4.0 , < 2026.5.0 (python)
    Affected: 2026.5.0 , < 2026.6.0 (python)
    Create a notification for this product.
    Credits
    Mr. JDH
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11764",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T13:49:30.786909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T13:49:42.672Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.0",
                  "status": "affected",
                  "version": "2024.1.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.3.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.4.0",
                  "status": "affected",
                  "version": "2026.3.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.4.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.5.0",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.5.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.6.0",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mr. JDH"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWhen creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary.\u003c/p\u003e"
                }
              ],
              "value": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 3.6,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-280",
                  "description": "CWE-280 Improper handling of insufficient permissions or privileges",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-09T11:54:37.865Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Data exposed without proper permission",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-11764",
        "datePublished": "2026-06-09T11:54:37.865Z",
        "dateReserved": "2026-06-09T08:08:24.188Z",
        "dateUpdated": "2026-06-09T13:49:42.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9712 (GCVE-0-2026-9712)

    Vulnerability from nvd – Published: 2026-05-27 14:35 – Updated: 2026-05-28 15:39
    VLAI
    Title
    Insecure direct object reference
    Summary
    When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 2024.10.0 , < 2026.2.0 (python)
    Affected: 2026.2.0 , < 2026.3.0 (python)
    Affected: 2026.3.0 , < 2026.4.0 (python)
    Affected: 2026.4.0 , < 2026.5.0 (python)
    Create a notification for this product.
    Credits
    Deepjyoti Roy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9712",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T15:39:22.313424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T15:39:28.686Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.2.0",
                  "status": "affected",
                  "version": "2024.10.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.2.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.3.0",
                  "status": "affected",
                  "version": "2026.2.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.3.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.4.0",
                  "status": "affected",
                  "version": "2026.3.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.4.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.5.0",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Deepjyoti Roy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWhen creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\u003c/p\u003e\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.\u003c/p\u003e"
                }
              ],
              "value": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T14:35:58.857Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Insecure direct object reference",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-9712",
        "datePublished": "2026-05-27T14:35:58.857Z",
        "dateReserved": "2026-05-27T14:18:33.470Z",
        "dateUpdated": "2026-05-28T15:39:28.686Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5600 (GCVE-0-2026-5600)

    Vulnerability from nvd – Published: 2026-04-08 12:24 – Updated: 2026-04-08 16:03
    VLAI
    Summary
    A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example: { "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" } An unauthorized user usually has no way to match these IDs (position) back to individual people.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-653 - Improper isolation or compartmentalization
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 2025.10.0 , < 2026.1.2 (python)
    Affected: 2026.2.0 , < 2026.2.1 (python)
    Affected: 2026.3.0 , < 2026.3.1 (python)
    Create a notification for this product.
    Credits
    Pratik Karan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5600",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T16:02:54.453740Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T16:03:07.473Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.1.2",
                  "status": "affected",
                  "version": "2025.10.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.2.1",
                  "status": "affected",
                  "version": "2026.2.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.3.1",
                  "status": "affected",
                  "version": "2026.3.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pratik Karan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\u003c/p\u003e\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e{\n  \"id\": 123,\n  \"successful\": true,\n  \"error_reason\": null,\n  \"error_explanation\": null,\n  \"position\": 321,\n  \"datetime\": \"2020-08-23T09:00:00+02:00\",\n  \"list\": 456,\n  \"created\": \"2020-08-23T09:00:00+02:00\",\n  \"auto_checked_in\": false,\n  \"gate\": null,\n  \"device\": 1,\n  \"device_id\": 1,\n  \"type\": \"entry\"\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e"
                }
              ],
              "value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n  \"id\": 123,\n  \"successful\": true,\n  \"error_reason\": null,\n  \"error_explanation\": null,\n  \"position\": 321,\n  \"datetime\": \"2020-08-23T09:00:00+02:00\",\n  \"list\": 456,\n  \"created\": \"2020-08-23T09:00:00+02:00\",\n  \"auto_checked_in\": false,\n  \"gate\": null,\n  \"device\": 1,\n  \"device_id\": 1,\n  \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "auth"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-653",
                  "description": "CWE-653 Improper isolation or compartmentalization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T12:24:51.602Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-5600",
        "datePublished": "2026-04-08T12:24:51.602Z",
        "dateReserved": "2026-04-05T12:25:54.058Z",
        "dateUpdated": "2026-04-08T16:03:07.473Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2452 (GCVE-0-2026-2452)

    Vulnerability from nvd – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
    VLAI
    Title
    Unsafe variable evaluation in email templates
    Summary
    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-627 - Dynamic Variable Evaluation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix-newsletter Affected: 1.0.0 , < 2.0.0 (python)
    Affected: 2.0.0 , < 2.0.1 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2452",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T16:43:10.295791Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T17:06:21.998Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://marketplace.pretix.eu/",
              "defaultStatus": "unaffected",
              "packageName": "pretix-newsletter",
              "product": "pretix-newsletter",
              "vendor": "pretix",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.6.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your  pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-545",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-545 Pull Data from System Resources"
                }
              ]
            },
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-77 Manipulating User-Controlled Variables"
                }
              ]
            },
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "LOW",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-627",
                  "description": "CWE-627 Dynamic Variable Evaluation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-16T10:16:22.027Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unsafe variable evaluation in email templates",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
                }
              ],
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-2452",
        "datePublished": "2026-02-16T10:16:22.027Z",
        "dateReserved": "2026-02-13T09:57:35.371Z",
        "dateUpdated": "2026-02-17T17:06:21.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2451 (GCVE-0-2026-2451)

    Vulnerability from nvd – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
    VLAI
    Title
    Unsafe variable evaluation in email templates
    Summary
    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-627 - Dynamic Variable Evaluation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix-doistep Affected: 1.0.0 , < 1.3.2 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2451",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T16:43:11.539670Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T17:06:30.536Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://marketplace.pretix.eu/",
              "defaultStatus": "unaffected",
              "packageName": "pretix-doistep",
              "product": "pretix-doistep",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.3.2",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u00a0file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-545",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-545 Pull Data from System Resources"
                }
              ]
            },
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-77 Manipulating User-Controlled Variables"
                }
              ]
            },
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "LOW",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-627",
                  "description": "CWE-627 Dynamic Variable Evaluation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-16T10:16:05.423Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unsafe variable evaluation in email templates",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
                }
              ],
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-2451",
        "datePublished": "2026-02-16T10:16:05.423Z",
        "dateReserved": "2026-02-13T09:57:34.221Z",
        "dateUpdated": "2026-02-17T17:06:30.536Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2415 (GCVE-0-2026-2415)

    Vulnerability from nvd – Published: 2026-02-16 10:15 – Updated: 2026-02-17 17:06
    VLAI
    Title
    Unsafe variable evaluation in email templates
    Summary
    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for the email subject. * Placeholders in subjects and plain text bodies of emails were wrongfully evaluated twice. Therefore, if the first evaluation of a placeholder again contains a placeholder, this second placeholder was rendered. This allows the rendering of placeholders controlled by the ticket buyer, and therefore the exploitation of the first issue as a ticket buyer. Luckily, the only buyer-controlled placeholder available in pretix by default (that is not validated in a way that prevents the issue) is {invoice_company}, which is very unusual (but not impossible) to be contained in an email subject template. In addition to broadening the attack surface of the first issue, this could theoretically also leak information about an order to one of the attendees within that order. However, we also consider this scenario very unlikely under typical conditions. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-627 - Dynamic Variable Evaluation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 4.16.0 , < 2025.9.0 (python)
    Affected: 2025.9.0 , < 2025.10.0 (python)
    Affected: 2025.10.0 , < 2026.1.0 (python)
    Affected: 2026.1.0 , < 2026.1.1 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2415",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T16:43:12.852157Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T17:06:39.418Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2025.9.0",
                  "status": "affected",
                  "version": "4.16.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.9.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.10.0",
                  "status": "affected",
                  "version": "2025.9.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.10.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.1.0",
                  "status": "affected",
                  "version": "2025.10.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.1.1",
                  "status": "affected",
                  "version": "2026.1.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is \u003ccode\u003e{invoice_company}\u003c/code\u003e, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\n\n\n\n  *  \nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\n\n\n\n\n  *  \nPlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is {invoice_company}, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\n\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your  pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-545",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-545 Pull Data from System Resources"
                }
              ]
            },
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-77 Manipulating User-Controlled Variables"
                }
              ]
            },
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "LOW",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-627",
                  "description": "CWE-627 Dynamic Variable Evaluation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-16T10:15:09.149Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unsafe variable evaluation in email templates",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
                }
              ],
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-2415",
        "datePublished": "2026-02-16T10:15:09.149Z",
        "dateReserved": "2026-02-12T17:02:46.966Z",
        "dateUpdated": "2026-02-17T17:06:39.418Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14881 (GCVE-0-2025-14881)

    Vulnerability from nvd – Published: 2025-12-19 12:24 – Updated: 2025-12-19 12:58
    VLAI
    Title
    Insecure direct object reference
    Summary
    Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 1.0.0 , < 2025.8.0 (python)
    Affected: 2025.8.0 , < 2025.9.0 (python)
    Affected: 2025.9.0 , < 2025.10.0 (python)
    Affected: 2025.10.0 , < 2025.11.0 (python)
    Create a notification for this product.
    Credits
    Deniz Parlak (https://github.com/DenizParlak)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14881",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-19T12:58:00.895498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-19T12:58:15.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2025.8.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.8.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.9.0",
                  "status": "affected",
                  "version": "2025.8.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.9.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.10.0",
                  "status": "affected",
                  "version": "2025.9.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.10.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.11.0",
                  "status": "affected",
                  "version": "2025.10.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Deniz Parlak (https://github.com/DenizParlak)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
                }
              ],
              "value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-19T12:24:10.523Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20251218-release-2025-10-1/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Insecure direct object reference",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2025-14881",
        "datePublished": "2025-12-19T12:24:10.523Z",
        "dateReserved": "2025-12-18T11:48:11.819Z",
        "dateUpdated": "2025-12-19T12:58:15.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13742 (GCVE-0-2025-13742)

    Vulnerability from nvd – Published: 2025-11-27 11:04 – Updated: 2025-11-28 15:22
    VLAI
    Title
    Limited HTML injection in emails
    Summary
    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Limited HTML injection in emails
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 1.0.0 , < 2025.7.0 (python)
    Affected: 2025.7.0 , < 2025.8.0 (python)
    Affected: 2025.8.0 , < 2025.9.0 (python)
    Affected: 2025.9.0 , < 2025.10.0 (python)
    Create a notification for this product.
    Date Public
    2025-11-27 11:00
    Credits
    Jan Roring (binsec GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13742",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-28T15:20:23.125472Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-116",
                    "description": "CWE-116 Improper Encoding or Escaping of Output",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-28T15:22:05.481Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2025.7.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.7.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.8.0",
                  "status": "affected",
                  "version": "2025.7.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.8.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.9.0",
                  "status": "affected",
                  "version": "2025.8.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.9.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.10.0",
                  "status": "affected",
                  "version": "2025.9.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jan Roring (binsec GmbH)"
            }
          ],
          "datePublic": "2025-11-27T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
                }
              ],
              "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-134",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-134 Email Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:L/SA:L/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Limited HTML injection in emails",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-27T11:04:36.990Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20251126-release-2025-9-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Limited HTML injection in emails",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2025-13742",
        "datePublished": "2025-11-27T11:04:36.990Z",
        "dateReserved": "2025-11-26T14:01:07.019Z",
        "dateUpdated": "2025-11-28T15:22:05.481Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8113 (GCVE-0-2024-8113)

    Vulnerability from nvd – Published: 2024-08-23 14:18 – Updated: 2024-08-30 18:40
    VLAI
    Title
    Stored XSS in Placeholder Samples in Mail Preview
    Summary
    Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , ≤ 2024.7.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8113",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-30T18:23:56.592210Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-30T18:40:02.041Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2024.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "2024.5.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "2024.6.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "2024.7.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2024.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible.\u003cbr\u003e"
                }
              ],
              "value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.\u003cbr\u003e"
                }
              ],
              "value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploits.\u003cbr\u003e"
                }
              ],
              "value": "No known exploits."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "USER",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/RE:L/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-23T14:24:05.228Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://pretix.eu/about/en/blog/20240823-release-2024-7-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Stored XSS in Placeholder Samples in Mail Preview",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2024-8113",
        "datePublished": "2024-08-23T14:18:05.416Z",
        "dateReserved": "2024-08-23T08:52:05.098Z",
        "dateUpdated": "2024-08-30T18:40:02.041Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27447 (GCVE-0-2024-27447)

    Vulnerability from nvd – Published: 2024-02-26 00:00 – Updated: 2024-08-05 15:16
    VLAI
    Summary
    pretix before 2024.1.1 mishandles file validation.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    rami pretix Affected: 0 , < 2024.1.1 (custom)
        cpe:2.3:a:rami:pretix:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:34:52.146Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:rami:pretix:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pretix",
                "vendor": "rami",
                "versions": [
                  {
                    "lessThan": "2024.1.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27447",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-05T14:46:15.905298Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:16:33.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "pretix before 2024.1.1 mishandles file validation."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-26T05:07:58.183Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-27447",
        "datePublished": "2024-02-26T00:00:00.000Z",
        "dateReserved": "2024-02-26T00:00:00.000Z",
        "dateUpdated": "2024-08-05T15:16:33.447Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-13602 (GCVE-0-2026-13602)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
    VLAI
    Title
    Session takeover vulnerability
    Summary
    We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data: * The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay contain a code path that is intended for the transport of session parameters from a tab with isolated cookies (e.g. in the pretix widget) to a new tab. For this purpose, a set of session parameters is cryptographically signed and then passed to the new tab as a URL parameter. The plugins perform no further validation of the session parameters, other than the cryptographic signature being valid. This is fixed with the releases issued today by strictly validating that no session parameters outside of the scope of the respective plugin may be set. * An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer headers for outgoing links to prevent leakage of secrets in URLs. This redirect page also requires cryptographically signed parameters. Unfortunately, it uses the same key and salt for the signature as the previously mentioned feature in the payment integration plugins. A motivated attacker with access to at least one event in the backend can trick the system into cryptographically signing arbitrary content using specially crafted links. In combination with the previous issue, the attacker could use this to set and modify arbitrary parameters on their user session by injecting the signed parameters into the feature of the payment providers. This is fixed with the releases issued today by using different salts for the signature for each plugin and feature. * A third, unrelated feature in the core system is used for admin users to act on behalf of another user, mostly for debugging purposes. With being able to insert arbitrary parameters into a session, an attacker can abuse this feature to change their session from their actual user to any user in the system by guessing a valid user ID. This is fixed with the release today by requiring unguessable information to be contained in the session of the user to switch to.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-323 - Reusing a nonce, key pair in encryption
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 4.14.0 , < 2026.3.5 (python)
    Affected: 2026.4.0 , < 2026.4.5 (python)
    Affected: 2026.5.0 , < 2026.5.3 (python)
    Create a notification for this product.
    pretix pretix-mollie Affected: 0 , < 2.5.7 (python)
    Create a notification for this product.
    pretix pretix-oppwa Affected: 0 , < 1.4.4 (python)
    Create a notification for this product.
    pretix pretix-bitpay Affected: 0 , < 1.5.3 (python)
    Create a notification for this product.
    pretix pretix-payone Affected: 0 , < 1.4.3 (python)
    Create a notification for this product.
    pretix pretix-secuconnect Affected: 0 , < 1.0.4 (python)
    Create a notification for this product.
    pretix pretix-sofort Affected: 0 , < 1.4.2 (python)
    Create a notification for this product.
    pretix pretix-saferpay Affected: 0 , < 1.6.3 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13602",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:26:54.400278Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:27:00.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.5",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.5",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.3",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-mollie",
              "product": "pretix-mollie",
              "repo": "https://github.com/pretix/pretix-mollie",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2.5.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-oppwa",
              "product": "pretix-oppwa",
              "repo": "https://github.com/pretix/pretix-oppwa",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-bitpay",
              "product": "pretix-bitpay",
              "repo": "https://github.com/pretix/pretix-bitpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-payone",
              "product": "pretix-payone",
              "repo": "https://github.com/pretix/pretix-payone",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-secuconnect",
              "product": "pretix-secuconnect",
              "repo": "https://github.com/pretix/pretix-secuconnect",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-sofort",
              "product": "pretix-sofort",
              "repo": "https://github.com/pretix/pretix-sofort",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix-saferpay",
              "product": "pretix-saferpay",
              "repo": "https://github.com/pretix/pretix-saferpay",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n  *  \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n  *  \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n  *  \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            },
            {
              "capecId": "CAPEC-61",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-61 Session Fixation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-323",
                  "description": "CWE-323 Reusing a nonce, key pair in encryption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:45:30.615Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
            }
          ],
          "title": "Session takeover vulnerability",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
                }
              ],
              "value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13602",
        "datePublished": "2026-07-01T13:45:30.615Z",
        "dateReserved": "2026-06-29T08:26:50.725Z",
        "dateUpdated": "2026-07-01T15:27:00.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57532 (GCVE-0-2026-57532)

    Vulnerability from cvelistv5 – Published: 2026-06-25 14:32 – Updated: 2026-06-25 15:04
    VLAI
    Summary
    Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering and editing libraries used, this is one of the few pages in our backend that do not have a strong Content-Security-Policy that would render this capability useless for most scenarios.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , < 2026.3.4 (python)
    Affected: 2026.4.0 , < 2026.4.4 (python)
    Affected: 2026.5.0 , < 2026.5.2 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:04:18.329787Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:04:24.738Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.4",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.2",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
                }
              ],
              "value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:32:37.967Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-57532",
        "datePublished": "2026-06-25T14:32:37.967Z",
        "dateReserved": "2026-06-24T15:59:32.628Z",
        "dateUpdated": "2026-06-25T15:04:24.738Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57533 (GCVE-0-2026-57533)

    Vulnerability from cvelistv5 – Published: 2026-06-25 14:31 – Updated: 2026-06-25 15:05
    VLAI
    Summary
    Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , < 2026.3.4 (python)
    Affected: 2026.4.0 , < 2026.4.4 (python)
    Affected: 2026.5.0 , < 2026.5.2 (python)
    Create a notification for this product.
    Credits
    Haxset
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57533",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:05:08.728267Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:05:14.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.4",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.2",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Haxset"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
                }
              ],
              "value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-591 Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:31:18.968Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-57533",
        "datePublished": "2026-06-25T14:31:18.968Z",
        "dateReserved": "2026-06-24T15:59:32.628Z",
        "dateUpdated": "2026-06-25T15:05:14.046Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57535 (GCVE-0-2026-57535)

    Vulnerability from cvelistv5 – Published: 2026-06-25 14:29 – Updated: 2026-06-25 15:10
    VLAI
    Summary
    Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server and possibly creating an SSRF vector in the local network.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , < 2026.3.4 (python)
    Affected: 2026.4.0 , < 2026.4.4 (python)
    Affected: 2026.5.0 , < 2026.5.2 (python)
    Create a notification for this product.
    Credits
    Rokkam Vamshi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57535",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:10:42.511872Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:10:48.584Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.4",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.2",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rokkam Vamshi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tags. If the \u003ccode\u003esrc\u003c/code\u003e\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
                }
              ],
              "value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003cimg\u003e tags. If the src\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:32:51.282Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-57535",
        "datePublished": "2026-06-25T14:29:18.531Z",
        "dateReserved": "2026-06-24T15:59:32.628Z",
        "dateUpdated": "2026-06-25T15:10:48.584Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13225 (GCVE-0-2026-13225)

    Vulnerability from cvelistv5 – Published: 2026-06-25 14:26 – Updated: 2026-06-25 15:11
    VLAI
    Title
    Stored XSS in ticket confirmation page
    Summary
    Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , < 2026.3.4 (python)
    Affected: 2026.4.0 , < 2026.4.4 (python)
    Affected: 2026.5.0 , < 2026.5.2 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13225",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T15:11:06.802643Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T15:11:12.132Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.4.4",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.5.2",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
                }
              ],
              "value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T14:26:31.972Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
            }
          ],
          "title": "Stored XSS in ticket confirmation page",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-13225",
        "datePublished": "2026-06-25T14:26:31.972Z",
        "dateReserved": "2026-06-24T16:14:10.932Z",
        "dateUpdated": "2026-06-25T15:11:12.132Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11764 (GCVE-0-2026-11764)

    Vulnerability from cvelistv5 – Published: 2026-06-09 11:54 – Updated: 2026-06-09 13:49
    VLAI
    Title
    Data exposed without proper permission
    Summary
    When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-280 - Improper handling of insufficient permissions or privileges
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 2024.1.0 , < 2026.3.0 (python)
    Affected: 2026.3.0 , < 2026.4.0 (python)
    Affected: 2026.4.0 , < 2026.5.0 (python)
    Affected: 2026.5.0 , < 2026.6.0 (python)
    Create a notification for this product.
    Credits
    Mr. JDH
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11764",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T13:49:30.786909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T13:49:42.672Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.3.0",
                  "status": "affected",
                  "version": "2024.1.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.3.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.4.0",
                  "status": "affected",
                  "version": "2026.3.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.4.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.5.0",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.5.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.6.0",
                  "status": "affected",
                  "version": "2026.5.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mr. JDH"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWhen creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary.\u003c/p\u003e"
                }
              ],
              "value": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 3.6,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-280",
                  "description": "CWE-280 Improper handling of insufficient permissions or privileges",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-09T11:54:37.865Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Data exposed without proper permission",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-11764",
        "datePublished": "2026-06-09T11:54:37.865Z",
        "dateReserved": "2026-06-09T08:08:24.188Z",
        "dateUpdated": "2026-06-09T13:49:42.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9712 (GCVE-0-2026-9712)

    Vulnerability from cvelistv5 – Published: 2026-05-27 14:35 – Updated: 2026-05-28 15:39
    VLAI
    Title
    Insecure direct object reference
    Summary
    When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 2024.10.0 , < 2026.2.0 (python)
    Affected: 2026.2.0 , < 2026.3.0 (python)
    Affected: 2026.3.0 , < 2026.4.0 (python)
    Affected: 2026.4.0 , < 2026.5.0 (python)
    Create a notification for this product.
    Credits
    Deepjyoti Roy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9712",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T15:39:22.313424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T15:39:28.686Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.2.0",
                  "status": "affected",
                  "version": "2024.10.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.2.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.3.0",
                  "status": "affected",
                  "version": "2026.2.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.3.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.4.0",
                  "status": "affected",
                  "version": "2026.3.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2026.4.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.5.0",
                  "status": "affected",
                  "version": "2026.4.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Deepjyoti Roy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eWhen creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\u003c/p\u003e\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.\u003c/p\u003e"
                }
              ],
              "value": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T14:35:58.857Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Insecure direct object reference",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-9712",
        "datePublished": "2026-05-27T14:35:58.857Z",
        "dateReserved": "2026-05-27T14:18:33.470Z",
        "dateUpdated": "2026-05-28T15:39:28.686Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5600 (GCVE-0-2026-5600)

    Vulnerability from cvelistv5 – Published: 2026-04-08 12:24 – Updated: 2026-04-08 16:03
    VLAI
    Summary
    A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example: { "id": 123, "successful": true, "error_reason": null, "error_explanation": null, "position": 321, "datetime": "2020-08-23T09:00:00+02:00", "list": 456, "created": "2020-08-23T09:00:00+02:00", "auto_checked_in": false, "gate": null, "device": 1, "device_id": 1, "type": "entry" } An unauthorized user usually has no way to match these IDs (position) back to individual people.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-653 - Improper isolation or compartmentalization
    Assigner
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 2025.10.0 , < 2026.1.2 (python)
    Affected: 2026.2.0 , < 2026.2.1 (python)
    Affected: 2026.3.0 , < 2026.3.1 (python)
    Create a notification for this product.
    Credits
    Pratik Karan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5600",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T16:02:54.453740Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T16:03:07.473Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2026.1.2",
                  "status": "affected",
                  "version": "2025.10.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.2.1",
                  "status": "affected",
                  "version": "2026.2.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.3.1",
                  "status": "affected",
                  "version": "2026.3.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pratik Karan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\u003c/p\u003e\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e{\n  \"id\": 123,\n  \"successful\": true,\n  \"error_reason\": null,\n  \"error_explanation\": null,\n  \"position\": 321,\n  \"datetime\": \"2020-08-23T09:00:00+02:00\",\n  \"list\": 456,\n  \"created\": \"2020-08-23T09:00:00+02:00\",\n  \"auto_checked_in\": false,\n  \"gate\": null,\n  \"device\": 1,\n  \"device_id\": 1,\n  \"type\": \"entry\"\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e"
                }
              ],
              "value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n  \"id\": 123,\n  \"successful\": true,\n  \"error_reason\": null,\n  \"error_explanation\": null,\n  \"position\": 321,\n  \"datetime\": \"2020-08-23T09:00:00+02:00\",\n  \"list\": 456,\n  \"created\": \"2020-08-23T09:00:00+02:00\",\n  \"auto_checked_in\": false,\n  \"gate\": null,\n  \"device\": 1,\n  \"device_id\": 1,\n  \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "auth"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-653",
                  "description": "CWE-653 Improper isolation or compartmentalization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T12:24:51.602Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-5600",
        "datePublished": "2026-04-08T12:24:51.602Z",
        "dateReserved": "2026-04-05T12:25:54.058Z",
        "dateUpdated": "2026-04-08T16:03:07.473Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2452 (GCVE-0-2026-2452)

    Vulnerability from cvelistv5 – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
    VLAI
    Title
    Unsafe variable evaluation in email templates
    Summary
    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-627 - Dynamic Variable Evaluation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix-newsletter Affected: 1.0.0 , < 2.0.0 (python)
    Affected: 2.0.0 , < 2.0.1 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2452",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T16:43:10.295791Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T17:06:21.998Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://marketplace.pretix.eu/",
              "defaultStatus": "unaffected",
              "packageName": "pretix-newsletter",
              "product": "pretix-newsletter",
              "vendor": "pretix",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.6.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your  pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-545",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-545 Pull Data from System Resources"
                }
              ]
            },
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-77 Manipulating User-Controlled Variables"
                }
              ]
            },
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "LOW",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-627",
                  "description": "CWE-627 Dynamic Variable Evaluation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-16T10:16:22.027Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unsafe variable evaluation in email templates",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
                }
              ],
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-2452",
        "datePublished": "2026-02-16T10:16:22.027Z",
        "dateReserved": "2026-02-13T09:57:35.371Z",
        "dateUpdated": "2026-02-17T17:06:21.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2451 (GCVE-0-2026-2451)

    Vulnerability from cvelistv5 – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
    VLAI
    Title
    Unsafe variable evaluation in email templates
    Summary
    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-627 - Dynamic Variable Evaluation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix-doistep Affected: 1.0.0 , < 1.3.2 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2451",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T16:43:11.539670Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T17:06:30.536Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://marketplace.pretix.eu/",
              "defaultStatus": "unaffected",
              "packageName": "pretix-doistep",
              "product": "pretix-doistep",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "1.3.2",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u00a0file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-545",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-545 Pull Data from System Resources"
                }
              ]
            },
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-77 Manipulating User-Controlled Variables"
                }
              ]
            },
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "LOW",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-627",
                  "description": "CWE-627 Dynamic Variable Evaluation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-16T10:16:05.423Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unsafe variable evaluation in email templates",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
                }
              ],
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-2451",
        "datePublished": "2026-02-16T10:16:05.423Z",
        "dateReserved": "2026-02-13T09:57:34.221Z",
        "dateUpdated": "2026-02-17T17:06:30.536Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2415 (GCVE-0-2026-2415)

    Vulnerability from cvelistv5 – Published: 2026-02-16 10:15 – Updated: 2026-02-17 17:06
    VLAI
    Title
    Unsafe variable evaluation in email templates
    Summary
    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for the email subject. * Placeholders in subjects and plain text bodies of emails were wrongfully evaluated twice. Therefore, if the first evaluation of a placeholder again contains a placeholder, this second placeholder was rendered. This allows the rendering of placeholders controlled by the ticket buyer, and therefore the exploitation of the first issue as a ticket buyer. Luckily, the only buyer-controlled placeholder available in pretix by default (that is not validated in a way that prevents the issue) is {invoice_company}, which is very unusual (but not impossible) to be contained in an email subject template. In addition to broadening the attack surface of the first issue, this could theoretically also leak information about an order to one of the attendees within that order. However, we also consider this scenario very unlikely under typical conditions. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-627 - Dynamic Variable Evaluation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 4.16.0 , < 2025.9.0 (python)
    Affected: 2025.9.0 , < 2025.10.0 (python)
    Affected: 2025.10.0 , < 2026.1.0 (python)
    Affected: 2026.1.0 , < 2026.1.1 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2415",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T16:43:12.852157Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T17:06:39.418Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2025.9.0",
                  "status": "affected",
                  "version": "4.16.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.9.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.10.0",
                  "status": "affected",
                  "version": "2025.9.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.10.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2026.1.0",
                  "status": "affected",
                  "version": "2025.10.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "2026.1.1",
                  "status": "affected",
                  "version": "2026.1.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is \u003ccode\u003e{invoice_company}\u003c/code\u003e, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\n\n\n\n  *  \nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\n\n\n\n\n  *  \nPlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is {invoice_company}, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\n\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your  pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-545",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-545 Pull Data from System Resources"
                }
              ]
            },
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-77 Manipulating User-Controlled Variables"
                }
              ]
            },
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "LOW",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-627",
                  "description": "CWE-627 Dynamic Variable Evaluation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-16T10:15:09.149Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unsafe variable evaluation in email templates",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
                }
              ],
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2026-2415",
        "datePublished": "2026-02-16T10:15:09.149Z",
        "dateReserved": "2026-02-12T17:02:46.966Z",
        "dateUpdated": "2026-02-17T17:06:39.418Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14881 (GCVE-0-2025-14881)

    Vulnerability from cvelistv5 – Published: 2025-12-19 12:24 – Updated: 2025-12-19 12:58
    VLAI
    Title
    Insecure direct object reference
    Summary
    Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 1.0.0 , < 2025.8.0 (python)
    Affected: 2025.8.0 , < 2025.9.0 (python)
    Affected: 2025.9.0 , < 2025.10.0 (python)
    Affected: 2025.10.0 , < 2025.11.0 (python)
    Create a notification for this product.
    Credits
    Deniz Parlak (https://github.com/DenizParlak)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14881",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-19T12:58:00.895498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-19T12:58:15.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2025.8.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.8.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.9.0",
                  "status": "affected",
                  "version": "2025.8.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.9.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.10.0",
                  "status": "affected",
                  "version": "2025.9.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.10.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.11.0",
                  "status": "affected",
                  "version": "2025.10.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Deniz Parlak (https://github.com/DenizParlak)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
                }
              ],
              "value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-19T12:24:10.523Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20251218-release-2025-10-1/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Insecure direct object reference",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2025-14881",
        "datePublished": "2025-12-19T12:24:10.523Z",
        "dateReserved": "2025-12-18T11:48:11.819Z",
        "dateUpdated": "2025-12-19T12:58:15.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13742 (GCVE-0-2025-13742)

    Vulnerability from cvelistv5 – Published: 2025-11-27 11:04 – Updated: 2025-11-28 15:22
    VLAI
    Title
    Limited HTML injection in emails
    Summary
    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Limited HTML injection in emails
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 1.0.0 , < 2025.7.0 (python)
    Affected: 2025.7.0 , < 2025.8.0 (python)
    Affected: 2025.8.0 , < 2025.9.0 (python)
    Affected: 2025.9.0 , < 2025.10.0 (python)
    Create a notification for this product.
    Date Public
    2025-11-27 11:00
    Credits
    Jan Roring (binsec GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13742",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-28T15:20:23.125472Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-116",
                    "description": "CWE-116 Improper Encoding or Escaping of Output",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-28T15:22:05.481Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "lessThan": "2025.7.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.7.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.8.0",
                  "status": "affected",
                  "version": "2025.7.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.8.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.9.0",
                  "status": "affected",
                  "version": "2025.8.0",
                  "versionType": "python"
                },
                {
                  "changes": [
                    {
                      "at": "2025.9.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.10.0",
                  "status": "affected",
                  "version": "2025.9.0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jan Roring (binsec GmbH)"
            }
          ],
          "datePublic": "2025-11-27T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
                }
              ],
              "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-134",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-134 Email Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:L/SA:L/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Limited HTML injection in emails",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-27T11:04:36.990Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://pretix.eu/about/en/blog/20251126-release-2025-9-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Limited HTML injection in emails",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2025-13742",
        "datePublished": "2025-11-27T11:04:36.990Z",
        "dateReserved": "2025-11-26T14:01:07.019Z",
        "dateUpdated": "2025-11-28T15:22:05.481Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8113 (GCVE-0-2024-8113)

    Vulnerability from cvelistv5 – Published: 2024-08-23 14:18 – Updated: 2024-08-30 18:40
    VLAI
    Title
    Stored XSS in Placeholder Samples in Mail Preview
    Summary
    Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pretix pretix Affected: 0 , ≤ 2024.7.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8113",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-30T18:23:56.592210Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-30T18:40:02.041Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org",
              "defaultStatus": "unaffected",
              "packageName": "pretix",
              "product": "pretix",
              "repo": "https://github.com/pretix/pretix",
              "vendor": "pretix",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2024.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "2024.5.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "2024.6.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "2024.7.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2024.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible.\u003cbr\u003e"
                }
              ],
              "value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.\u003cbr\u003e"
                }
              ],
              "value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploits.\u003cbr\u003e"
                }
              ],
              "value": "No known exploits."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "USER",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/RE:L/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-23T14:24:05.228Z",
            "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
            "shortName": "rami.io"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://pretix.eu/about/en/blog/20240823-release-2024-7-1/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Stored XSS in Placeholder Samples in Mail Preview",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "assignerShortName": "rami.io",
        "cveId": "CVE-2024-8113",
        "datePublished": "2024-08-23T14:18:05.416Z",
        "dateReserved": "2024-08-23T08:52:05.098Z",
        "dateUpdated": "2024-08-30T18:40:02.041Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27447 (GCVE-0-2024-27447)

    Vulnerability from cvelistv5 – Published: 2024-02-26 00:00 – Updated: 2024-08-05 15:16
    VLAI
    Summary
    pretix before 2024.1.1 mishandles file validation.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    rami pretix Affected: 0 , < 2024.1.1 (custom)
        cpe:2.3:a:rami:pretix:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:34:52.146Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:rami:pretix:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pretix",
                "vendor": "rami",
                "versions": [
                  {
                    "lessThan": "2024.1.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27447",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-05T14:46:15.905298Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:16:33.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "pretix before 2024.1.1 mishandles file validation."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-26T05:07:58.183Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-27447",
        "datePublished": "2024-02-26T00:00:00.000Z",
        "dateReserved": "2024-02-26T00:00:00.000Z",
        "dateUpdated": "2024-08-05T15:16:33.447Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }