Skip to main content

Pretix

16 CVEs product

Monthly

CVE-2026-13602 HIGH PATCH This Week

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.

RCE Pretix Pretix Mollie Pretix Oppwa Pretix Bitpay +4
NVD
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-57532 HIGH PATCH This Week

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. There is no public exploit identified at time of analysis, but the vendor has confirmed and patched the issue.

XSS Pretix
NVD VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-57533 LOW PATCH Monitor

HTML injection on the pretix untrusted-redirect warning page enables phishing attacks against end users. Affecting the open-source event ticketing platform (all versions prior to 2026.5.2), authenticated low-privileged users can embed malicious HTML content into the redirect interstitial page that pretix displays before forwarding visitors to external URLs. The presence of a Content-Security-Policy on that page blocks script execution, so the primary attack surface is social engineering and credential phishing rather than full cross-site scripting. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Pretix
NVD
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-57535 LOW PATCH Monitor

HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.

XSS SSRF Pretix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13225 MEDIUM PATCH This Month

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. Exploitation requires no authentication (PR:N in CVSS 4.0) but does require a victim to load the affected page (UI:P). No public exploit is identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 2026.5.2.

XSS Pretix
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-11764 LOW PATCH Monitor

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.

Information Disclosure Pretix
NVD
CVSS 4.0
3.6
EPSS
0.0%
CVE-2026-5600 PyPI MEDIUM PATCH GHSA This Month

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.

Authentication Bypass Pretix
NVD
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2452 MEDIUM PATCH This Month

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing validation controls. An attacker with email template editing permissions can leverage this vulnerability to access confidential configuration information from the system. A patch is available to address the ineffective placeholder sanitization mechanism.

Information Disclosure Pretix Newsletters
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2451 MEDIUM This Month

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing security controls. An attacker with email template modification privileges can leverage Python object introspection to access arbitrary system configuration details. No patch is currently available for this vulnerability affecting Pretix and its Double Opt In Step extension.

Information Disclosure Pretix Double Opt In Step
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-2415 PyPI MEDIUM PATCH This Month

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information such as database credentials and API keys through specially crafted placeholder syntax that bypasses insufficient input validation. An attacker with backend access can leverage this vulnerability to enumerate system configuration details and potentially compromise infrastructure security. No patch is currently available for this medium-severity issue affecting Pretix installations.

Information Disclosure Pretix
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-13742 PyPI LOW PATCH Monitor

Emails sent by pretix can utilize placeholders that will be filled with customer data. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Pretix
NVD
CVSS 4.0
2.4
EPSS
0.0%
CVE-2024-8113 PyPI HIGH PATCH This Week

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable. No vendor patch available.

XSS Pretix
NVD
CVSS 4.0
7.2
EPSS
0.3%
CVE-2024-27447 PyPI CRITICAL PATCH Act Now

pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Pretix
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-44463 PyPI MEDIUM PATCH This Month

An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Pretix
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-44464 PyPI HIGH PATCH This Week

pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Pretix
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-27891 PyPI HIGH PATCH This Week

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Pretix
NVD
CVSS 3.1
7.5
EPSS
0.6%
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.

RCE Pretix Pretix Mollie +6
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. There is no public exploit identified at time of analysis, but the vendor has confirmed and patched the issue.

XSS Pretix
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection on the pretix untrusted-redirect warning page enables phishing attacks against end users. Affecting the open-source event ticketing platform (all versions prior to 2026.5.2), authenticated low-privileged users can embed malicious HTML content into the redirect interstitial page that pretix displays before forwarding visitors to external URLs. The presence of a Content-Security-Policy on that page blocks script execution, so the primary attack surface is social engineering and credential phishing rather than full cross-site scripting. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Pretix
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.

XSS SSRF Pretix
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. Exploitation requires no authentication (PR:N in CVSS 4.0) but does require a victim to load the affected page (UI:P). No public exploit is identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 2026.5.2.

XSS Pretix
NVD
EPSS 0% CVSS 3.6
LOW PATCH Monitor

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.

Information Disclosure Pretix
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.

Authentication Bypass Pretix
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing validation controls. An attacker with email template editing permissions can leverage this vulnerability to access confidential configuration information from the system. A patch is available to address the ineffective placeholder sanitization mechanism.

Information Disclosure Pretix Newsletters
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing security controls. An attacker with email template modification privileges can leverage Python object introspection to access arbitrary system configuration details. No patch is currently available for this vulnerability affecting Pretix and its Double Opt In Step extension.

Information Disclosure Pretix Double Opt In Step
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information such as database credentials and API keys through specially crafted placeholder syntax that bypasses insufficient input validation. An attacker with backend access can leverage this vulnerability to enumerate system configuration details and potentially compromise infrastructure security. No patch is currently available for this medium-severity issue affecting Pretix installations.

Information Disclosure Pretix
NVD VulDB
EPSS 0% CVSS 2.4
LOW PATCH Monitor

Emails sent by pretix can utilize placeholders that will be filled with customer data. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Pretix
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable. No vendor patch available.

XSS Pretix
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Pretix
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Pretix
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Pretix
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Pretix
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy