Skip to main content

Pretix Oppwa

3 CVEs product

Monthly

CVE-2026-13602 HIGH PATCH This Week

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.

RCE Pretix Pretix Mollie Pretix Oppwa Pretix Bitpay +4
NVD
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-13603 CRITICAL PATCH Act Now

Server-side URL manipulation in the pretix-oppwa payment plugin (fixed in pretix 2026.5.3) lets a remote attacker exfiltrate the Oppwa API access token by tampering with the resourcePath return parameter. Because the plugin concatenated the attacker-controlled resourcePath onto the API base domain without a separating slash or validation, a crafted value redirects pretix's server-side status-check request - which carries the account API key - to an attacker-controlled host. No public exploit identified at time of analysis, and the CVSS 4.0 vector carries E:U (exploit unproven).

Information Disclosure Pretix Oppwa
NVD
CVSS 4.0
9.0
EPSS
0.3%
CVE-2026-13222 MEDIUM PATCH This Month

Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.

Information Disclosure Pretix Oppwa
NVD
CVSS 4.0
6.3
EPSS
0.3%
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugins (Stripe, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, pretix-saferpay) lets an authenticated backend operator become any user and read any data in the system. The flaw chains three weaknesses: a signed-session-parameter transport path with no scope validation, a signing-oracle reuse of the same key/salt in an unrelated Referer-obfuscation redirect, and the admin "act on behalf of" impersonation feature. No public exploit is identified at time of analysis (CVSS 4.0 carries E:U, exploit unproven), but the vendor fixed all affected components in releases published 2026-07-01.

RCE Pretix Pretix Mollie +6
NVD
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Server-side URL manipulation in the pretix-oppwa payment plugin (fixed in pretix 2026.5.3) lets a remote attacker exfiltrate the Oppwa API access token by tampering with the resourcePath return parameter. Because the plugin concatenated the attacker-controlled resourcePath onto the API base domain without a separating slash or validation, a crafted value redirects pretix's server-side status-check request - which carries the account API key - to an attacker-controlled host. No public exploit identified at time of analysis, and the CVSS 4.0 vector carries E:U (exploit unproven).

Information Disclosure Pretix Oppwa
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.

Information Disclosure Pretix Oppwa
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy