Pretix Mollie
Monthly
Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.
Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.
Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.
Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.