Pretix vulnerabilities
18 known vulnerabilities affecting pretix/pretix.
Total CVEs
18
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM8LOW6
Vulnerabilities
Page 1 of 1
CVE-2024-27447P3CRITICALCVSS 9.8fixed in 2024.1.12024-02-26
CVE-2024-27447 [CRITICAL] CWE-20 CVE-2024-27447: pretix before 2024.1.1 mishandles file validation.
pretix before 2024.1.1 mishandles file validation.
ghsanvdosv
CVE-2026-57532P3HIGHCVSS 8.8fixed in 2026.3.4≥ 2026.4.0, < 2026.4.4+1 more2026-06-25
CVE-2026-57532 [HIGH] CWE-80 CVE-2026-57532: Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was ex
Malicious HTML content contained in the layout specification of a PDF
ticket or badge layout was executed when the PDF editor is opened in the
browser. This could allow one backend user to inject JavaScript into
the browser context of another backend user. Due to requirements of the
PDF rendering and editing libraries used, this is one of the few pages
nvd
CVE-2026-2451P3MEDIUMCVSS 6.5≥ 4.16.0, < 2026.1.12026-02-16
CVE-2026-2451 [MEDIUM] CWE-627 CVE-2026-2451: Emails sent by pretix can utilize placeholders that will be filled with customer data. For example,
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeh
nvd
CVE-2026-2452P3MEDIUMCVSS 6.5≥ 4.16.0, < 2026.1.12026-02-16
CVE-2026-2452 [MEDIUM] CWE-627 CVE-2026-2452: Emails sent by pretix can utilize placeholders that will be filled with customer data. For example,
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:
It was possible to exfiltrate information about the pretix system through specially crafted placeh
nvd
CVE-2023-27891P3HIGH≥ 4.17.0, < 4.17.1≥ 4.16.0, < 4.16.1+1 more2023-03-07
CVE-2023-27891 [HIGH] CWE-613 Insufficient Session Expiration in pretix
Insufficient Session Expiration in pretix
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.
ghsaosv
CVE-2026-2415P3MEDIUMCVSS 5.9≥ 4.16.0, < 2026.1.1≥ 4.16.0, < 2025.9.0+3 more2026-02-16
CVE-2026-2415 [MEDIUM] CWE-627 CVE-2026-2415: Emails sent by pretix can utilize placeholders that will be filled with customer data. For example,
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained two security-relevant
bugs:
*
It was possible to exfiltrate information about the pretix system through specially crafted
ghsanvdosv
CVE-2023-44464P3HIGH≥ 0, < 2023.7.22023-09-29
CVE-2023-44464 [HIGH] pretix allows Pillow to parse EPS files
pretix allows Pillow to parse EPS files
pretix before 2023.7.2 allows Pillow to parse EPS files.
ghsaosv
CVE-2025-13742P4MEDIUMCVSS 6.1≥ 1.0.0, < 2025.7.2v2025.8.0+5 more2025-11-27
CVE-2025-13742 [MEDIUM] CWE-116 CVE-2025-13742: Emails sent by pretix can utilize placeholders that will be filled with customer data. For example,
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject
ghsanvd
CVE-2024-8113P4MEDIUMCVSS 5.4≤ 2024.7.02024-08-23
CVE-2024-8113 [MEDIUM] CWE-79 CVE-2024-8113: Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizer
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) t
ghsanvdosv
CVE-2026-13225P4MEDIUMCVSS 5.3fixed in 2026.3.4≥ 2026.4.0, < 2026.4.4+1 more2026-06-25
CVE-2026-13225 [MEDIUM] CWE-80 CVE-2026-13225: Malicious HTML content could be injected into the email address of an order, which pretix showed wi
Malicious HTML content could be injected into the email address of an
order, which pretix showed without sanitization on the confirmation page
for individual tickets in that order.
nvd
CVE-2023-44463P4MEDIUM≥ 0, < 2023.7.12023-10-02
CVE-2023-44463 [MEDIUM] CWE-290 pretix potential IP address spoofing vulnerability
pretix potential IP address spoofing vulnerability
An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.
ghsaosv
CVE-2026-5600P4MEDIUMCVSS 4.3≥ 2025.10.0, < 2026.1.2≥ 2026.2.0, < 2026.2.1+1 more2026-04-08
CVE-2026-5600 [MEDIUM] CWE-653 CVE-2026-5600: A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a sp
A new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-in events belonging to the respective organizer. This allows an
API consumer to access information for all other events under the same
organizer, even those they should not have access to.
These records contain inf
ghsanvdosv
CVE-2026-9712P4LOWCVSS 3.8≥ 2024.10.0, < 2026.2.0≥ 2026.2.0, < 2026.3.0+2 more2026-05-27
CVE-2026-9712 [LOW] CWE-639 CVE-2026-9712: When creating an export through the pretix API, API clients are returned an UUID value for their ex
When creating an export through the pretix API, API clients are
returned an UUID value for their export job (a long, random string like
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client
can then request the actual file for download. The same kind of UUID is
used in other places in pretix when temporary files are generated for
internal
nvd
CVE-2025-14881P4LOWCVSS 3.8≥ 1.0.0, < 2025.8.0≥ 2025.8.0, < 2025.9.0+2 more2025-12-19
CVE-2025-14881 [LOW] CWE-639 CVE-2025-14881: Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
ghsanvdosv
CVE-2025-14882P4LOW≥ 2025.10.0, < 2025.10.1≥ 2025.9.0, < 2025.9.3+1 more2025-12-19
CVE-2025-14882 [LOW] CWE-639 pretix has Broken Access Control Allowing Cross-User File Access via UUID
pretix has Broken Access Control Allowing Cross-User File Access via UUID
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
ghsaosv
CVE-2026-11764P4LOWCVSS 3.6≥ 2024.1.0, < 2026.3.0≥ 2026.3.0, < 2026.4.0+2 more2026-06-09
CVE-2026-11764 [LOW] CWE-280 CVE-2026-11764: When creating an export of all reusable media, the secrets of connected gift cards were included in
When creating an export of all reusable media, the secrets of connected
gift cards were included in the export even if the user creating the
export does not have permission to view gift cards. This is inconsistent
with the UI and API where only the first letters of the gift card
secret are shown. Therefore, it allows circumventing a permission
boundary.
nvd
CVE-2026-57535P4LOWCVSS 2.1fixed in 2026.3.4≥ 2026.4.0, < 2026.4.4+1 more2026-06-25
CVE-2026-57535 [LOW] CWE-80 CVE-2026-57535: Content injected to PDF rendering contexts could, in many places, include HTML content including <im
Content injected to PDF rendering contexts could, in many places, include HTML content including tags. If the src
attribute of these images pointed to an URL, the PDF rendering engine
would download the image from that place and display it, thereby leaking
information about the rendering server and possibly creating an SSRF
vector in the local network.
nvd
CVE-2026-57533P4LOWCVSS 2.1fixed in 2026.3.4≥ 2026.4.0, < 2026.4.4+1 more2026-06-25
CVE-2026-57533 [LOW] CWE-80 CVE-2026-57533: Malicious HTML content could be injected into the page pretix shows when redirection to an untruste
Malicious HTML content could be injected into the page pretix shows when
redirection to an untrusted page occurs. Since this page has a
Content-Security-Policy, this can mainly be used for phishing purposes.
nvd