Skip to main content

Pretix Mollie

2 CVEs product

Monthly

CVE-2026-13602 HIGH PATCH This Week

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.

RCE Pretix Pretix Mollie Pretix Oppwa Pretix Bitpay +4
NVD
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-57536 MEDIUM PATCH This Month

Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.

Information Disclosure Pretix Mollie
NVD
CVSS 4.0
6.3
EPSS
0.3%
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.

RCE Pretix Pretix Mollie +6
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.

Information Disclosure Pretix Mollie
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy