Skip to main content

Venueless

5 CVEs product

Monthly

CVE-2026-13350 LOW PATCH Monitor

Incorrect authorization logic during room creation in Venueless permits authenticated low-privilege users to create room types they are not permitted to create. The CVSS 4.0 score of 2.3 reflects the narrow, integrity-only impact and significant attack preconditions - requiring authentication, high complexity, and specific prerequisites. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Venueless
NVD GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-12863 MEDIUM This Month

Unvalidated redirect in Venueless social login allows phishing attacks by abusing the trusted domain reputation of legitimate event platform instances. Any Venueless deployment with social login enabled is affected across all tracked versions (CPE wildcard), and an attacker can craft a social login URL embedding an arbitrary external redirect destination that executes silently after a victim completes OAuth authentication. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and authentication-flow context make this a credible phishing vector against event attendees and organizers.

Open Redirect Venueless
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-12862 MEDIUM PATCH This Month

Formula injection in Venueless Excel exports allows an attacker with a low-privilege account to embed malicious spreadsheet formulas into user-supplied data fields, which execute when an administrator opens the generated export file. Affected deployments include all versions of Venueless (pretix) as indicated by the wildcard CPE entry. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low attack complexity and the availability of a GitHub security advisory signal a credible, reproducible attack path against administrative workflows.

Code Injection Venueless
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-5599 HIGH PATCH This Week

Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to delete user accounts in completely separate worlds. Venueless versions prior to commit 02b9cbe5 are affected. The CVSS 7.3 rating reflects network-based attack requiring low-complexity exploitation by authenticated users with low privileges. No public exploit identified at time of analysis, though the vulnerability permits unauthorized data destruction across tenant boundaries in multi-tenant deployments.

Information Disclosure Venueless
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-4982 HIGH PATCH This Week

Venueless instances allow authenticated users with 'update world' permissions to exfiltrate chat messages from direct messages or other worlds' channels via a flaw in the reporting feature, provided the attacker can obtain the target channel's internal UUID. This cross-world information disclosure affects Pretix Venueless across versions prior to patching, and exploitability is constrained by the requirement to discover internal identifiers that are not typically exposed to unauthorized users.

Information Disclosure Venueless
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.1%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Incorrect authorization logic during room creation in Venueless permits authenticated low-privilege users to create room types they are not permitted to create. The CVSS 4.0 score of 2.3 reflects the narrow, integrity-only impact and significant attack preconditions - requiring authentication, high complexity, and specific prerequisites. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Venueless
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Unvalidated redirect in Venueless social login allows phishing attacks by abusing the trusted domain reputation of legitimate event platform instances. Any Venueless deployment with social login enabled is affected across all tracked versions (CPE wildcard), and an attacker can craft a social login URL embedding an arbitrary external redirect destination that executes silently after a victim completes OAuth authentication. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and authentication-flow context make this a credible phishing vector against event attendees and organizers.

Open Redirect Venueless
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Formula injection in Venueless Excel exports allows an attacker with a low-privilege account to embed malicious spreadsheet formulas into user-supplied data fields, which execute when an administrator opens the generated export file. Affected deployments include all versions of Venueless (pretix) as indicated by the wildcard CPE entry. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low attack complexity and the availability of a GitHub security advisory signal a credible, reproducible attack path against administrative workflows.

Code Injection Venueless
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to delete user accounts in completely separate worlds. Venueless versions prior to commit 02b9cbe5 are affected. The CVSS 7.3 rating reflects network-based attack requiring low-complexity exploitation by authenticated users with low privileges. No public exploit identified at time of analysis, though the vulnerability permits unauthorized data destruction across tenant boundaries in multi-tenant deployments.

Information Disclosure Venueless
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Venueless instances allow authenticated users with 'update world' permissions to exfiltrate chat messages from direct messages or other worlds' channels via a flaw in the reporting feature, provided the attacker can obtain the target channel's internal UUID. This cross-world information disclosure affects Pretix Venueless across versions prior to patching, and exploitability is constrained by the requirement to discover internal identifiers that are not typically exposed to unauthorized users.

Information Disclosure Venueless
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy