Search criteria
27 vulnerabilities
CVE-2026-13602 (GCVE-0-2026-13602)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
VLAI?
Title
Session takeover vulnerability
Summary
We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:
*
The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay
contain a code path that is intended for the transport of session
parameters from a tab with isolated cookies (e.g. in the pretix widget)
to a new tab. For this purpose, a set of session parameters is
cryptographically signed and then passed to the new tab as a URL
parameter. The plugins perform no further validation of the session
parameters, other than the cryptographic signature being valid. This is
fixed with the releases issued today by strictly validating that no
session parameters outside of the scope of the respective plugin may be
set.
*
An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer
headers for outgoing links to prevent leakage of secrets in URLs. This
redirect page also requires cryptographically signed parameters.
Unfortunately, it uses the same key and salt for the signature as the
previously mentioned feature in the payment integration plugins. A
motivated attacker with access to at least one event in the backend can
trick the system into cryptographically signing arbitrary content using
specially crafted links. In combination with the previous issue, the
attacker could use this to set and modify arbitrary parameters on their
user session by injecting the signed parameters into the feature of the
payment providers. This is fixed with the releases issued today by using
different salts for the signature for each plugin and feature.
*
A third, unrelated feature in the core system is used for admin users
to act on behalf of another user, mostly for debugging purposes. With
being able to insert arbitrary parameters into a session, an attacker
can abuse this feature to change their session from their actual user to
any user in the system by guessing a valid user ID. This is fixed with
the release today by requiring unguessable information to be contained
in the session of the user to switch to.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| pretix | pretix |
Affected:
4.14.0 , < 2026.3.5
(python)
Affected: 2026.4.0 , < 2026.4.5 (python) Affected: 2026.5.0 , < 2026.5.3 (python) |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:26:54.400278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:27:00.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.5",
"status": "affected",
"version": "4.14.0",
"versionType": "python"
},
{
"lessThan": "2026.4.5",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.3",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-mollie",
"product": "pretix-mollie",
"repo": "https://github.com/pretix/pretix-mollie",
"vendor": "pretix",
"versions": [
{
"lessThan": "2.5.7",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-oppwa",
"product": "pretix-oppwa",
"repo": "https://github.com/pretix/pretix-oppwa",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-bitpay",
"product": "pretix-bitpay",
"repo": "https://github.com/pretix/pretix-bitpay",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-payone",
"product": "pretix-payone",
"repo": "https://github.com/pretix/pretix-payone",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-secuconnect",
"product": "pretix-secuconnect",
"repo": "https://github.com/pretix/pretix-secuconnect",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-sofort",
"product": "pretix-sofort",
"repo": "https://github.com/pretix/pretix-sofort",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-saferpay",
"product": "pretix-saferpay",
"repo": "https://github.com/pretix/pretix-saferpay",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.6.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n * \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n * \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n * \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323 Reusing a nonce, key pair in encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:45:30.615Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
}
],
"title": "Session takeover vulnerability",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
}
],
"value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13602",
"datePublished": "2026-07-01T13:45:30.615Z",
"dateReserved": "2026-06-29T08:26:50.725Z",
"dateUpdated": "2026-07-01T15:27:00.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13603 (GCVE-0-2026-13603)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:18 – Updated: 2026-07-01 14:07
VLAI?
Title
SSRF with API key leak in pretix-oppwa
Summary
The payment integration pretix-oppwa provides support
for the payment providers VR Payment, Hobex, and potentially others
based on Oppwa's technology. The integration of Oppwa, following their
official documentation, includes a step where the user is redirected
from the payment provider back to our system with a query parameter like
?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.
Our plugin pretix-oppwa did so insecurely by
concatenating the parameter form the URL to the base domain of the API
without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different
server instead. Since the request includes the access token (API key)
of the Oppwa account, this would leak the access token, giving access to
data contained in the payment provider's system. This is fixed with the
release today by strictly validating the given API URL.
After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-oppwa |
Affected:
0 , < 1.4.4
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T14:07:27.700177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:07:36.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-oppwa",
"product": "pretix-oppwa",
"repo": "https://github.com/pretix/pretix-oppwa",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe payment integration \u003ccode\u003epretix-oppwa\u003c/code\u003e provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa\u0027s technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n \u003ccode\u003e?resourcePath=/v1/checkouts/{checkoutId}/payment\u003c/code\u003e in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by \u003ccode\u003ebaseUrl + resourcePath\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eOur plugin \u003ccode\u003epretix-oppwa\u003c/code\u003e did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a \u003ccode\u003e/\u003c/code\u003e at the end of the \u003ccode\u003ebaseUrl\u003c/code\u003e. Therefore, an attacker could inject a \u003ccode\u003eresourcePath\u003c/code\u003e argument in a way that causes pretix to call a \u003cem\u003edifferent\u003c/em\u003e\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider\u0027s system. This is fixed with the\n release today by strictly validating the given API URL.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.\u003c/strong\u003e\u003c/p\u003e"
}
],
"value": "The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa\u0027s technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider\u0027s system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side request forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:18:09.434Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cstrong\u003eAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.\u003c/strong\u003e\u003cdiv\u003e\u003cstrong\u003eAttack detection:\u003c/strong\u003e If you have access logs, you can search them for \u003ccode\u003eresourcePath=\u003c/code\u003e not followed by a \u003ccode\u003e/\u003c/code\u003e or encoded slash \u003ccode\u003e%2F\u003c/code\u003e.\u003cstrong\u003e\u003c/strong\u003e\u003c/div\u003e"
}
],
"value": "After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.Attack detection: If you have access logs, you can search them for resourcePath= not followed by a / or encoded slash %2F."
}
],
"title": "SSRF with API key leak in pretix-oppwa",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cstrong\u003eWorkaround:\u003c/strong\u003e If you are unable to update pretix quickly, we still recommend to try installing the \u003ccode\u003epretix-oppwa\u003c/code\u003e\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to \u003cstrong\u003euninstall\u003c/strong\u003e the \u003ccode\u003epretix-oppwa\u003c/code\u003e plugin."
}
],
"value": "Workaround: If you are unable to update pretix quickly, we still recommend to try installing the pretix-oppwa\n plugin in the latest version. We have not tested it with every old \npretix release, but we expect it to be compatible with any version after\n 2025.1. Otherwise, we recommend to uninstall the pretix-oppwa plugin."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13603",
"datePublished": "2026-07-01T13:18:09.434Z",
"dateReserved": "2026-06-29T08:26:51.607Z",
"dateUpdated": "2026-07-01T14:07:36.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13350 (GCVE-0-2026-13350)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:05 – Updated: 2026-06-25 18:15
VLAI?
Summary
Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
Severity ?
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Credits
Rokkam Vamshi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T18:15:06.143068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:15:25.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "0a35457f",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
}
],
"value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:05:11.500Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-hj6j-wpgc-qrp5"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13350",
"datePublished": "2026-06-25T16:05:11.500Z",
"dateReserved": "2026-06-25T16:01:43.504Z",
"dateUpdated": "2026-06-25T18:15:25.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57532 (GCVE-0-2026-57532)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:32 – Updated: 2026-06-25 15:04
VLAI?
Summary
Malicious HTML content contained in the layout specification of a PDF
ticket or badge layout was executed when the PDF editor is opened in the
browser. This could allow one backend user to inject JavaScript into
the browser context of another backend user. Due to requirements of the
PDF rendering and editing libraries used, this is one of the few pages
in our backend that do not have a strong Content-Security-Policy that
would render this capability useless for most scenarios.
Severity ?
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:04:18.329787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:04:24.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
}
],
"value": "Malicious HTML content contained in the layout specification of a PDF \nticket or badge layout was executed when the PDF editor is opened in the\n browser. This could allow one backend user to inject JavaScript into \nthe browser context of another backend user. Due to requirements of the \nPDF rendering and editing libraries used, this is one of the few pages \nin our backend that do not have a strong Content-Security-Policy that \nwould render this capability useless for most scenarios."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:32:37.967Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57532",
"datePublished": "2026-06-25T14:32:37.967Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:04:24.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57533 (GCVE-0-2026-57533)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:31 – Updated: 2026-06-25 15:05
VLAI?
Summary
Malicious HTML content could be injected into the page pretix shows when
redirection to an untrusted page occurs. Since this page has a
Content-Security-Policy, this can mainly be used for phishing purposes.
Severity ?
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
Impacted products
Credits
Haxset
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57533",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:05:08.728267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:05:14.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Haxset"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
}
],
"value": "Malicious HTML content could be injected into the page pretix shows when\n redirection to an untrusted page occurs. Since this page has a \nContent-Security-Policy, this can mainly be used for phishing purposes."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:31:18.968Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57533",
"datePublished": "2026-06-25T14:31:18.968Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:05:14.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57535 (GCVE-0-2026-57535)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:29 – Updated: 2026-06-25 15:10
VLAI?
Summary
Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src
attribute of these images pointed to an URL, the PDF rendering engine
would download the image from that place and display it, thereby leaking
information about the rendering server and possibly creating an SSRF
vector in the local network.
Severity ?
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
Impacted products
Credits
Rokkam Vamshi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:10:42.511872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:10:48.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tags. If the \u003ccode\u003esrc\u003c/code\u003e\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
}
],
"value": "Content injected to PDF rendering contexts could, in many places, include HTML content including \u003cimg\u003e tags. If the src\n attribute of these images pointed to an URL, the PDF rendering engine \nwould download the image from that place and display it, thereby leaking\n information about the rendering server and possibly creating an SSRF \nvector in the local network."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:32:51.282Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57535",
"datePublished": "2026-06-25T14:29:18.531Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:10:48.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13225 (GCVE-0-2026-13225)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:26 – Updated: 2026-06-25 15:11
VLAI?
Title
Stored XSS in ticket confirmation page
Summary
Malicious HTML content could be injected into the email address of an
order, which pretix showed without sanitization on the confirmation page
for individual tickets in that order.
Severity ?
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:11:06.802643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:11:12.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.4",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "2026.4.4",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.2",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
}
],
"value": "Malicious HTML content could be injected into the email address of an \norder, which pretix showed without sanitization on the confirmation page\n for individual tickets in that order."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:26:31.972Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"title": "Stored XSS in ticket confirmation page",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13225",
"datePublished": "2026-06-25T14:26:31.972Z",
"dateReserved": "2026-06-24T16:14:10.932Z",
"dateUpdated": "2026-06-25T15:11:12.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57534 (GCVE-0-2026-57534)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:11 – Updated: 2026-06-25 15:12
VLAI?
Title
Stored XSS in pretix-pages
Summary
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.
Severity ?
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-pages |
Affected:
0 , < 1.6.4
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57534",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:12:33.269426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:12:42.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-pages",
"product": "pretix-pages",
"repo": "https://github.com/pretix/pretix-pages",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.6.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content could be injected into the content of a page in the \u003cstrong\u003epretix-pages\u003c/strong\u003e plugin."
}
],
"value": "Malicious HTML content could be injected into the content of a page in the pretix-pages plugin."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "stored xss"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:16:24.146Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"title": "Stored XSS in pretix-pages",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57534",
"datePublished": "2026-06-25T14:11:13.204Z",
"dateReserved": "2026-06-24T15:59:32.628Z",
"dateUpdated": "2026-06-25T15:12:42.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57536 (GCVE-0-2026-57536)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:08 – Updated: 2026-06-25 15:13
VLAI?
Title
Insufficient validation of payment status in pretix-mollie
Summary
Our payment integration with Mollie did not properly validate payment
status responses. An attacker could use a successful payment status
response from one payment and supply it to the system for a different
payment, gaining access to multiple valid tickets with only one payment.
Severity ?
CWE
- CWE-841 - Improper enforcement of behavioral workflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-mollie |
Affected:
0 , < 2.5.6
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57536",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:13:22.598137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:13:30.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-mollie",
"product": "pretix-mollie",
"repo": "https://github.com/pretix/pretix-mollie",
"vendor": "pretix",
"versions": [
{
"lessThan": "2.5.6",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Our payment integration with Mollie did not properly validate payment \nstatus responses. An attacker could use a successful payment status \nresponse from one payment and supply it to the system for a different \npayment, gaining access to multiple valid tickets with only one payment."
}
],
"value": "Our payment integration with Mollie did not properly validate payment \nstatus responses. An attacker could use a successful payment status \nresponse from one payment and supply it to the system for a different \npayment, gaining access to multiple valid tickets with only one payment."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841 Improper enforcement of behavioral workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:16:39.008Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"title": "Insufficient validation of payment status in pretix-mollie",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-57536",
"datePublished": "2026-06-25T14:08:37.928Z",
"dateReserved": "2026-06-24T15:59:32.629Z",
"dateUpdated": "2026-06-25T15:13:30.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13222 (GCVE-0-2026-13222)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:07 – Updated: 2026-06-25 15:13
VLAI?
Title
Insufficient validation of payment status in pretix-oppwa
Summary
Our payment integration with Oppwa-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
Severity ?
CWE
- CWE-841 - Improper enforcement of behavioral workflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-oppwa |
Affected:
0 , < 1.4.3
(python)
|
Credits
Deepjyoti Roy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:13:47.859125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:13:53.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-oppw",
"product": "pretix-oppwa",
"repo": "https://github.com/pretix/pretix-oppwa",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deepjyoti Roy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Our payment integration with Oppwa-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment."
}
],
"value": "Our payment integration with Oppwa-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841 Improper enforcement of behavioral workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:16:55.922Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"title": "Insufficient validation of payment status in pretix-oppwa",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13222",
"datePublished": "2026-06-25T14:07:03.521Z",
"dateReserved": "2026-06-24T16:01:13.668Z",
"dateUpdated": "2026-06-25T15:13:53.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13223 (GCVE-0-2026-13223)
Vulnerability from cvelistv5 – Published: 2026-06-25 14:03 – Updated: 2026-06-25 15:14
VLAI?
Title
Insufficient validation of payment status in pretix-computop
Summary
Our payment integration with Computop-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
Severity ?
CWE
- CWE-841 - Improper enforcement of behavioral workflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-computop |
Affected:
0 , < 1.3.2
(python)
|
Credits
Deepjyoti Roy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:14:09.758824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:14:14.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-computop",
"product": "pretix-computop",
"repo": "https://github.com/pretix/pretix-computop",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deepjyoti Roy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Our payment integration with Computop-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment."
}
],
"value": "Our payment integration with Computop-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841 Improper enforcement of behavioral workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:17:12.170Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"title": "Insufficient validation of payment status in pretix-computop",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13223",
"datePublished": "2026-06-25T14:03:54.835Z",
"dateReserved": "2026-06-24T16:01:54.416Z",
"dateUpdated": "2026-06-25T15:14:14.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13314 (GCVE-0-2026-13314)
Vulnerability from cvelistv5 – Published: 2026-06-25 13:53 – Updated: 2026-06-25 15:14
VLAI?
Title
Stored XSS in pretix-digital
Summary
Malicious HTML content could be injected into the content rendered by the pretix-digital plugin.
Severity ?
CWE
- CWE-80 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-digital |
Affected:
0 , < 1.6.5
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T15:14:32.564997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:14:37.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://marketplace.pretix.eu",
"defaultStatus": "unaffected",
"packageName": "pretix-digital",
"product": "pretix-digital",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.6.5",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Malicious HTML content could be injected into the content rendered by the \u003cb\u003epretix-digital\u003c/b\u003e plugin."
}
],
"value": "Malicious HTML content could be injected into the content rendered by the pretix-digital plugin."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:17:33.328Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stored XSS in pretix-digital",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13314",
"datePublished": "2026-06-25T13:53:07.715Z",
"dateReserved": "2026-06-25T06:59:45.673Z",
"dateUpdated": "2026-06-25T15:14:37.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12863 (GCVE-0-2026-12863)
Vulnerability from cvelistv5 – Published: 2026-06-22 08:41 – Updated: 2026-06-23 11:54
VLAI?
Title
Open redirect
Summary
An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.
Severity ?
CWE
- CWE-601 - URL redirection to untrusted site ('open redirect')
Assigner
References
Credits
Kuturu Rajesh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T10:27:00.898005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T10:27:10.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "d27864a7",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kuturu Rajesh"
}
],
"datePublic": "2026-06-22T08:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
}
],
"value": "An unvalidated redirect was contained in Venueless\u0027 social login functionality and could be exploited for phishing using trusted domains."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T11:54:38.277Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-m87f-7c4r-w4p3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Open redirect",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-12863",
"datePublished": "2026-06-22T08:41:33.126Z",
"dateReserved": "2026-06-22T08:17:20.587Z",
"dateUpdated": "2026-06-23T11:54:38.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12862 (GCVE-0-2026-12862)
Vulnerability from cvelistv5 – Published: 2026-06-22 08:26 – Updated: 2026-06-22 12:23
VLAI?
Title
XLSX formula injection in exports
Summary
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
Severity ?
CWE
- CWE-148 - Improper neutralization of input leaders
Assigner
References
Credits
Rokkam Vamshi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T12:23:08.251405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T12:23:13.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "0a35457f",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"datePublic": "2026-06-22T08:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
}
],
"value": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-148",
"description": "CWE-148 Improper neutralization of input leaders",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T08:26:10.365Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XLSX formula injection in exports",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-12862",
"datePublished": "2026-06-22T08:26:10.365Z",
"dateReserved": "2026-06-22T08:16:55.107Z",
"dateUpdated": "2026-06-22T12:23:13.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11764 (GCVE-0-2026-11764)
Vulnerability from cvelistv5 – Published: 2026-06-09 11:54 – Updated: 2026-06-09 13:49
VLAI?
Title
Data exposed without proper permission
Summary
When creating an export of all reusable media, the secrets of connected
gift cards were included in the export even if the user creating the
export does not have permission to view gift cards. This is inconsistent
with the UI and API where only the first letters of the gift card
secret are shown. Therefore, it allows circumventing a permission
boundary.
Severity ?
CWE
- CWE-280 - Improper handling of insufficient permissions or privileges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Mr. JDH
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:49:30.786909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:49:42.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.0",
"status": "affected",
"version": "2024.1.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.3",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.3",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.5.1",
"status": "unaffected"
}
],
"lessThan": "2026.6.0",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mr. JDH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary.\u003c/p\u003e"
}
],
"value": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.6,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper handling of insufficient permissions or privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T11:54:37.865Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Data exposed without proper permission",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-11764",
"datePublished": "2026-06-09T11:54:37.865Z",
"dateReserved": "2026-06-09T08:08:24.188Z",
"dateUpdated": "2026-06-09T13:49:42.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9712 (GCVE-0-2026-9712)
Vulnerability from cvelistv5 – Published: 2026-05-27 14:35 – Updated: 2026-05-28 15:39
VLAI?
Title
Insecure direct object reference
Summary
When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal use or download.
One remaining API endpoint, however, wrongfully did not verify if the
UUID used for download actually belongs to a file that is supposed to
be downloadable and belongs to the correct user. In reality, this is
hard to exploit because an attacker would need to have access to a valid
UUID for the file they desire which is unlikely to happen without a
separate security problem giving them access to logs etc.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Deepjyoti Roy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T15:39:22.313424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:39:28.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.2.0",
"status": "affected",
"version": "2024.10.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.2.2",
"status": "unaffected"
}
],
"lessThan": "2026.3.0",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.2",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.2",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deepjyoti Roy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\u003c/p\u003e\n\u003cp\u003eOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc.\u003c/p\u003e"
}
],
"value": "When creating an export through the pretix API, API clients are \nreturned an UUID value for their export job (a long, random string like \n35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client \ncan then request the actual file for download. The same kind of UUID is \nused in other places in pretix when temporary files are generated for \ninternal use or download.\n\n\n\n\nOne remaining API endpoint, however, wrongfully did not verify if the\n UUID used for download actually belongs to a file that is supposed to \nbe downloadable and belongs to the correct user. In reality, this is \nhard to exploit because an attacker would need to have access to a valid\n UUID for the file they desire which is unlikely to happen without a \nseparate security problem giving them access to logs etc."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:35:58.857Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-9712",
"datePublished": "2026-05-27T14:35:58.857Z",
"dateReserved": "2026-05-27T14:18:33.470Z",
"dateUpdated": "2026-05-28T15:39:28.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5600 (GCVE-0-2026-5600)
Vulnerability from cvelistv5 – Published: 2026-04-08 12:24 – Updated: 2026-04-08 16:03
VLAI?
Summary
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.
These records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:
{
"id": 123,
"successful": true,
"error_reason": null,
"error_explanation": null,
"position": 321,
"datetime": "2020-08-23T09:00:00+02:00",
"list": 456,
"created": "2020-08-23T09:00:00+02:00",
"auto_checked_in": false,
"gate": null,
"device": 1,
"device_id": 1,
"type": "entry"
}
An unauthorized user usually has no way to match these IDs (position) back to individual people.
Severity ?
CWE
- CWE-653 - Improper isolation or compartmentalization
Assigner
References
Impacted products
Credits
Pratik Karan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T16:02:54.453740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:03:07.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.1.2",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
},
{
"lessThan": "2026.2.1",
"status": "affected",
"version": "2026.2.0",
"versionType": "python"
},
{
"lessThan": "2026.3.1",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\u003c/p\u003e\n\u003cp\u003eThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAn unauthorized user usually has no way to match these IDs (\u003ccode\u003eposition\u003c/code\u003e) back to individual people.\u003c/p\u003e"
}
],
"value": "A new API endpoint introduced in pretix 2025 that is supposed to \nreturn all check-in events of a specific event in fact returns all \ncheck-in events belonging to the respective organizer. This allows an \nAPI consumer to access information for all other events under the same \norganizer, even those they should not have access to.\n\n\nThese records contain information on the time and result of every ticket scan as well as the ID of the matched ticket. Example:\n\n\n{\n \"id\": 123,\n \"successful\": true,\n \"error_reason\": null,\n \"error_explanation\": null,\n \"position\": 321,\n \"datetime\": \"2020-08-23T09:00:00+02:00\",\n \"list\": 456,\n \"created\": \"2020-08-23T09:00:00+02:00\",\n \"auto_checked_in\": false,\n \"gate\": null,\n \"device\": 1,\n \"device_id\": 1,\n \"type\": \"entry\"\n}\n\n\n\nAn unauthorized user usually has no way to match these IDs (position) back to individual people."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "auth"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper isolation or compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T12:24:51.602Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://pretix.eu/about/en/blog/20260408-release-2026-3-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-5600",
"datePublished": "2026-04-08T12:24:51.602Z",
"dateReserved": "2026-04-05T12:25:54.058Z",
"dateUpdated": "2026-04-08T16:03:07.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5599 (GCVE-0-2026-5599)
Vulnerability from cvelistv5 – Published: 2026-04-05 12:36 – Updated: 2026-04-06 14:33
VLAI?
Title
API allows deletion of users of other instance
Summary
A user with API access and "manage users" permission in any venueless
world is able to trigger deletion of user accounts in other worlds.
Severity ?
CWE
- CWE-653 - Improper isolation or compartmentalization
Assigner
References
Credits
Pratik Karan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T14:32:27.722668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T14:33:34.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"repo": "https://github.com/venueless/venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "02b9cbe5",
"status": "affected",
"version": "0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
}
],
"value": "A user with API access and \"manage users\" permission in any venueless \nworld is able to trigger deletion of user accounts in other worlds."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper isolation or compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-05T12:36:27.278Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "API allows deletion of users of other instance",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-5599",
"datePublished": "2026-04-05T12:36:27.278Z",
"dateReserved": "2026-04-05T12:25:52.821Z",
"dateUpdated": "2026-04-06T14:33:34.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4982 (GCVE-0-2026-4982)
Vulnerability from cvelistv5 – Published: 2026-03-27 12:32 – Updated: 2026-03-27 19:39
VLAI?
Title
Unauthorized access to chat contents
Summary
A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.
The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.
Severity ?
CWE
- CWE-20 - Improper input validation
Assigner
References
Impacted products
Credits
Pratik Karan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:23:52.214430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:39:20.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.27.e20083a",
"status": "affected",
"version": "0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pratik Karan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\u003cbr\u003e\u003cbr\u003eThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
}
],
"value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\n\nThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T12:32:41.164Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthorized access to chat contents",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-4982",
"datePublished": "2026-03-27T12:32:41.164Z",
"dateReserved": "2026-03-27T12:15:15.436Z",
"dateUpdated": "2026-03-27T19:39:20.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2452 (GCVE-0-2026-2452)
Vulnerability from cvelistv5 – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
VLAI?
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for this plugin.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.
Severity ?
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-newsletter |
Affected:
1.0.0 , < 2.0.0
(python)
Affected: 2.0.0 , < 2.0.1 (python) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:10.295791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:21.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://marketplace.pretix.eu/",
"defaultStatus": "unaffected",
"packageName": "pretix-newsletter",
"product": "pretix-newsletter",
"vendor": "pretix",
"versions": [
{
"changes": [
{
"at": "1.6.3",
"status": "unaffected"
}
],
"lessThan": "2.0.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"lessThan": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:16:22.027Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2452",
"datePublished": "2026-02-16T10:16:22.027Z",
"dateReserved": "2026-02-13T09:57:35.371Z",
"dateUpdated": "2026-02-17T17:06:21.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2451 (GCVE-0-2026-2451)
Vulnerability from cvelistv5 – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
VLAI?
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for this plugin.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg file.
Severity ?
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-doistep |
Affected:
1.0.0 , < 1.3.2
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:11.539670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:30.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://marketplace.pretix.eu/",
"defaultStatus": "unaffected",
"packageName": "pretix-doistep",
"product": "pretix-doistep",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:16:05.423Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2451",
"datePublished": "2026-02-16T10:16:05.423Z",
"dateReserved": "2026-02-13T09:57:34.221Z",
"dateUpdated": "2026-02-17T17:06:30.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2415 (GCVE-0-2026-2415)
Vulnerability from cvelistv5 – Published: 2026-02-16 10:15 – Updated: 2026-02-17 17:06
VLAI?
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained two security-relevant
bugs:
*
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for the email subject.
*
Placeholders in subjects and plain text bodies of emails were
wrongfully evaluated twice. Therefore, if the first evaluation of a
placeholder again contains a placeholder, this second placeholder was
rendered. This allows the rendering of placeholders controlled by the
ticket buyer, and therefore the exploitation of the first issue as a
ticket buyer. Luckily, the only buyer-controlled placeholder available
in pretix by default (that is not validated in a way that prevents the
issue) is {invoice_company}, which is very unusual (but not
impossible) to be contained in an email subject template. In addition
to broadening the attack surface of the first issue, this could
theoretically also leak information about an order to one of the
attendees within that order. However, we also consider this scenario
very unlikely under typical conditions.
Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.
Severity ?
CWE
- CWE-627 - Dynamic Variable Evaluation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T16:43:12.852157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T17:06:39.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.9.0",
"status": "affected",
"version": "4.16.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.4",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.10.2",
"status": "unaffected"
}
],
"lessThan": "2026.1.0",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
},
{
"lessThan": "2026.1.1",
"status": "affected",
"version": "2026.1.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is \u003ccode\u003e{invoice_company}\u003c/code\u003e, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\n\n\n\n * \nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\n\n\n\n\n * \nPlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is {invoice_company}, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\n\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
},
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
},
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-627",
"description": "CWE-627 Dynamic Variable Evaluation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T10:15:09.149Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe variable evaluation in email templates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
}
],
"value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-2415",
"datePublished": "2026-02-16T10:15:09.149Z",
"dateReserved": "2026-02-12T17:02:46.966Z",
"dateUpdated": "2026-02-17T17:06:39.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14881 (GCVE-0-2025-14881)
Vulnerability from cvelistv5 – Published: 2025-12-19 12:24 – Updated: 2025-12-19 12:58
VLAI?
Title
Insecure direct object reference
Summary
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Deniz Parlak (https://github.com/DenizParlak)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T12:58:00.895498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T12:58:15.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.8.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.8.3",
"status": "unaffected"
}
],
"lessThan": "2025.9.0",
"status": "affected",
"version": "2025.8.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.3",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.10.1",
"status": "unaffected"
}
],
"lessThan": "2025.11.0",
"status": "affected",
"version": "2025.10.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deniz Parlak (https://github.com/DenizParlak)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
}
],
"value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T12:24:10.523Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20251218-release-2025-10-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2025-14881",
"datePublished": "2025-12-19T12:24:10.523Z",
"dateReserved": "2025-12-18T11:48:11.819Z",
"dateUpdated": "2025-12-19T12:58:15.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14882 (GCVE-0-2025-14882)
Vulnerability from cvelistv5 – Published: 2025-12-19 12:24 – Updated: 2025-12-19 13:50
VLAI?
Title
Insecure direct object reference
Summary
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pretix | pretix-offlinesales |
Affected:
1.12.0 , ≤ 1.12.1
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14882",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T13:50:11.991702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T13:50:26.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://marketplace.pretix.eu/",
"defaultStatus": "unaffected",
"packageName": "pretix-offlinesales",
"product": "pretix-offlinesales",
"vendor": "pretix",
"versions": [
{
"lessThanOrEqual": "1.12.1",
"status": "affected",
"version": "1.12.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
}
],
"value": "An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.8,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T12:24:01.241Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20251218-release-2025-10-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Insecure direct object reference",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2025-14882",
"datePublished": "2025-12-19T12:24:01.241Z",
"dateReserved": "2025-12-18T11:52:58.280Z",
"dateUpdated": "2025-12-19T13:50:26.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13742 (GCVE-0-2025-13742)
Vulnerability from cvelistv5 – Published: 2025-11-27 11:04 – Updated: 2025-11-28 15:22
VLAI?
Title
Limited HTML injection in emails
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.
Severity ?
CWE
- Limited HTML injection in emails
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Jan Roring (binsec GmbH)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:20:23.125472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:22:05.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2025.7.0",
"status": "affected",
"version": "1.0.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.7.2",
"status": "unaffected"
}
],
"lessThan": "2025.8.0",
"status": "affected",
"version": "2025.7.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.8.1",
"status": "unaffected"
}
],
"lessThan": "2025.9.0",
"status": "affected",
"version": "2025.8.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2025.9.1",
"status": "unaffected"
}
],
"lessThan": "2025.10.0",
"status": "affected",
"version": "2025.9.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jan Roring (binsec GmbH)"
}
],
"datePublic": "2025-11-27T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
}
],
"value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing."
}
],
"impacts": [
{
"capecId": "CAPEC-134",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-134 Email Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.4,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:L/SA:L/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Limited HTML injection in emails",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T11:04:36.990Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20251126-release-2025-9-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Limited HTML injection in emails",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2025-13742",
"datePublished": "2025-11-27T11:04:36.990Z",
"dateReserved": "2025-11-26T14:01:07.019Z",
"dateUpdated": "2025-11-28T15:22:05.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9575 (GCVE-0-2024-9575)
Vulnerability from cvelistv5 – Published: 2024-10-09 09:40 – Updated: 2025-01-09 17:31
VLAI?
Title
Local File Inclusion in pretix-widget WordPress plugin
Summary
Local File Inclusion vulnerability in pretix Widget WordPress plugin pretix-widget on Windows allows PHP Local File Inclusion. This issue affects pretix Widget WordPress plugin: from 1.0.0 through 1.0.5.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rami.io GmbH | pretix Widget WordPress plugin |
Affected:
1.0.0 , ≤ 1.0.5
(semver)
Unaffected: 1.0.6 |
Credits
João Pedro Soares de Alcântara (Kinorth)
Patchstack
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rami.io_gmbh:pretiix_widget_wordpress_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pretiix_widget_wordpress_plugin",
"vendor": "rami.io_gmbh",
"versions": [
{
"lessThanOrEqual": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "1.0.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9575",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T13:32:48.512639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T17:31:07.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "pretix-widget",
"platforms": [
"Windows"
],
"product": "pretix Widget WordPress plugin",
"repo": "https://github.com/pretix/pretix-widget-wordpress/",
"vendor": "rami.io GmbH",
"versions": [
{
"lessThanOrEqual": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.0.6"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The problem appears to be exploitable only on WordPress instances running on Windows machines. The attacker needs edit privileges for pages or posts in the WordPress backend.\u003cbr\u003e"
}
],
"value": "The problem appears to be exploitable only on WordPress instances running on Windows machines. The attacker needs edit privileges for pages or posts in the WordPress backend."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro Soares de Alc\u00e2ntara (Kinorth)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Patchstack"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Local File Inclusion vulnerability in pretix Widget WordPress plugin pretix-widget on Windows allows PHP Local File Inclusion. This issue affects pretix Widget WordPress plugin: from 1.0.0 through 1.0.5."
}
],
"value": "Local File Inclusion vulnerability in pretix Widget WordPress plugin pretix-widget on Windows allows PHP Local File Inclusion. This issue affects pretix Widget WordPress plugin: from 1.0.0 through 1.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-252 PHP Local File Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/RE:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T07:14:37.443Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20241009-wordpress-plugin-1-0-6/"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/pretix-widget/wordpress-pretix-widget-plugin-1-0-5-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local File Inclusion in pretix-widget WordPress plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2024-9575",
"datePublished": "2024-10-09T09:40:44.656Z",
"dateReserved": "2024-10-07T07:52:31.490Z",
"dateUpdated": "2025-01-09T17:31:07.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8113 (GCVE-0-2024-8113)
Vulnerability from cvelistv5 – Published: 2024-08-23 14:18 – Updated: 2024-08-30 18:40
VLAI?
Title
Stored XSS in Placeholder Samples in Mail Preview
Summary
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:23:56.592210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:40:02.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"changes": [
{
"at": "2024.4.1",
"status": "unaffected"
},
{
"at": "2024.5.1",
"status": "unaffected"
},
{
"at": "2024.6.1",
"status": "unaffected"
},
{
"at": "2024.7.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2024.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible.\u003cbr\u003e"
}
],
"value": "Only exploitable if Content-Security-Policy are removed or if a CSP bypass is possible."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.\u003cbr\u003e"
}
],
"value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No known exploits.\u003cbr\u003e"
}
],
"value": "No known exploits."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T14:24:05.228Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://pretix.eu/about/en/blog/20240823-release-2024-7-1/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stored XSS in Placeholder Samples in Mail Preview",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2024-8113",
"datePublished": "2024-08-23T14:18:05.416Z",
"dateReserved": "2024-08-23T08:52:05.098Z",
"dateUpdated": "2024-08-30T18:40:02.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}