Pretix
Monthly
Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.
Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. There is no public exploit identified at time of analysis, but the vendor has confirmed and patched the issue.
HTML injection on the pretix untrusted-redirect warning page enables phishing attacks against end users. Affecting the open-source event ticketing platform (all versions prior to 2026.5.2), authenticated low-privileged users can embed malicious HTML content into the redirect interstitial page that pretix displays before forwarding visitors to external URLs. The presence of a Content-Security-Policy on that page blocks script execution, so the primary attack surface is social engineering and credential phishing rather than full cross-site scripting. No public exploit code and no CISA KEV listing have been identified at time of analysis.
HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.
HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. Exploitation requires no authentication (PR:N in CVSS 4.0) but does require a victim to load the affected page (UI:P). No public exploit is identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 2026.5.2.
Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.
Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing validation controls. An attacker with email template editing permissions can leverage this vulnerability to access confidential configuration information from the system. A patch is available to address the ineffective placeholder sanitization mechanism.
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing security controls. An attacker with email template modification privileges can leverage Python object introspection to access arbitrary system configuration details. No patch is currently available for this vulnerability affecting Pretix and its Double Opt In Step extension.
Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information such as database credentials and API keys through specially crafted placeholder syntax that bypasses insufficient input validation. An attacker with backend access can leverage this vulnerability to enumerate system configuration details and potentially compromise infrastructure security. No patch is currently available for this medium-severity issue affecting Pretix installations.
Emails sent by pretix can utilize placeholders that will be filled with customer data. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable. No vendor patch available.
pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.
Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. There is no public exploit identified at time of analysis, but the vendor has confirmed and patched the issue.
HTML injection on the pretix untrusted-redirect warning page enables phishing attacks against end users. Affecting the open-source event ticketing platform (all versions prior to 2026.5.2), authenticated low-privileged users can embed malicious HTML content into the redirect interstitial page that pretix displays before forwarding visitors to external URLs. The presence of a Content-Security-Policy on that page blocks script execution, so the primary attack surface is social engineering and credential phishing rather than full cross-site scripting. No public exploit code and no CISA KEV listing have been identified at time of analysis.
HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.
HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. Exploitation requires no authentication (PR:N in CVSS 4.0) but does require a victim to load the affected page (UI:P). No public exploit is identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 2026.5.2.
Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.
Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing validation controls. An attacker with email template editing permissions can leverage this vulnerability to access confidential configuration information from the system. A patch is available to address the ineffective placeholder sanitization mechanism.
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing security controls. An attacker with email template modification privileges can leverage Python object introspection to access arbitrary system configuration details. No patch is currently available for this vulnerability affecting Pretix and its Double Opt In Step extension.
Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information such as database credentials and API keys through specially crafted placeholder syntax that bypasses insufficient input validation. An attacker with backend access can leverage this vulnerability to enumerate system configuration details and potentially compromise infrastructure security. No patch is currently available for this medium-severity issue affecting Pretix installations.
Emails sent by pretix can utilize placeholders that will be filled with customer data. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable. No vendor patch available.
pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.