cbcvebase.

Pretix vulnerabilities

18 known vulnerabilities affecting pretix/pretix.

Total CVEs
18
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM8LOW6

Vulnerabilities

Page 1 of 1
CVE-2024-27447P3CRITICALCVSS 9.8fixed in 2024.1.12024-02-26
CVE-2024-27447 [CRITICAL] CWE-20 CVE-2024-27447: pretix before 2024.1.1 mishandles file validation. pretix before 2024.1.1 mishandles file validation.
ghsanvdosv
CVE-2026-57532P3HIGHCVSS 8.8fixed in 2026.3.4≥ 2026.4.0, < 2026.4.4+1 more2026-06-25
CVE-2026-57532 [HIGH] CWE-80 CVE-2026-57532: Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was ex Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering and editing libraries used, this is one of the few pages
nvd
CVE-2026-2451P3MEDIUMCVSS 6.5≥ 4.16.0, < 2026.1.12026-02-16
CVE-2026-2451 [MEDIUM] CWE-627 CVE-2026-2451: Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeh
nvd
CVE-2026-2452P3MEDIUMCVSS 6.5≥ 4.16.0, < 2026.1.12026-02-16
CVE-2026-2452 [MEDIUM] CWE-627 CVE-2026-2452: Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeh
nvd
CVE-2023-27891P3HIGH≥ 4.17.0, < 4.17.1≥ 4.16.0, < 4.16.1+1 more2023-03-07
CVE-2023-27891 [HIGH] CWE-613 Insufficient Session Expiration in pretix Insufficient Session Expiration in pretix rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.
ghsaosv
CVE-2026-2415P3MEDIUMCVSS 5.9≥ 4.16.0, < 2026.1.1≥ 4.16.0, < 2025.9.0+3 more2026-02-16
CVE-2026-2415 [MEDIUM] CWE-627 CVE-2026-2415: Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted
ghsanvdosv
CVE-2023-44464P3HIGH≥ 0, < 2023.7.22023-09-29
CVE-2023-44464 [HIGH] pretix allows Pillow to parse EPS files pretix allows Pillow to parse EPS files pretix before 2023.7.2 allows Pillow to parse EPS files.
ghsaosv
CVE-2025-13742P4MEDIUMCVSS 6.1≥ 1.0.0, < 2025.7.2v2025.8.0+5 more2025-11-27
CVE-2025-13742 [MEDIUM] CWE-116 CVE-2025-13742: Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject
ghsanvd
CVE-2024-8113P4MEDIUMCVSS 5.4≤ 2024.7.02024-08-23
CVE-2024-8113 [MEDIUM] CWE-79 CVE-2024-8113: Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizer Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) t
ghsanvdosv
CVE-2026-13225P4MEDIUMCVSS 5.3fixed in 2026.3.4≥ 2026.4.0, < 2026.4.4+1 more2026-06-25
CVE-2026-13225 [MEDIUM] CWE-80 CVE-2026-13225: Malicious HTML content could be injected into the email address of an order, which pretix showed wi Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.
nvd
CVE-2023-44463P4MEDIUM≥ 0, < 2023.7.12023-10-02
CVE-2023-44463 [MEDIUM] CWE-290 pretix potential IP address spoofing vulnerability pretix potential IP address spoofing vulnerability An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.
ghsaosv
CVE-2026-5600P4MEDIUMCVSS 4.3≥ 2025.10.0, < 2026.1.2≥ 2026.2.0, < 2026.2.1+1 more2026-04-08
CVE-2026-5600 [MEDIUM] CWE-653 CVE-2026-5600: A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a sp A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those they should not have access to. These records contain inf
ghsanvdosv
CVE-2026-9712P4LOWCVSS 3.8≥ 2024.10.0, < 2026.2.0≥ 2026.2.0, < 2026.3.0+2 more2026-05-27
CVE-2026-9712 [LOW] CWE-639 CVE-2026-9712: When creating an export through the pretix API, API clients are returned an UUID value for their ex When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal
nvd
CVE-2025-14881P4LOWCVSS 3.8≥ 1.0.0, < 2025.8.0≥ 2025.8.0, < 2025.9.0+2 more2025-12-19
CVE-2025-14881 [LOW] CWE-639 CVE-2025-14881: Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
ghsanvdosv
CVE-2025-14882P4LOW≥ 2025.10.0, < 2025.10.1≥ 2025.9.0, < 2025.9.3+1 more2025-12-19
CVE-2025-14882 [LOW] CWE-639 pretix has Broken Access Control Allowing Cross-User File Access via UUID pretix has Broken Access Control Allowing Cross-User File Access via UUID An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
ghsaosv
CVE-2026-11764P4LOWCVSS 3.6≥ 2024.1.0, < 2026.3.0≥ 2026.3.0, < 2026.4.0+2 more2026-06-09
CVE-2026-11764 [LOW] CWE-280 CVE-2026-11764: When creating an export of all reusable media, the secrets of connected gift cards were included in When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
nvd
CVE-2026-57535P4LOWCVSS 2.1fixed in 2026.3.4≥ 2026.4.0, < 2026.4.4+1 more2026-06-25
CVE-2026-57535 [LOW] CWE-80 CVE-2026-57535: Content injected to PDF rendering contexts could, in many places, include HTML content including <im Content injected to PDF rendering contexts could, in many places, include HTML content including tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server and possibly creating an SSRF vector in the local network.
nvd
CVE-2026-57533P4LOWCVSS 2.1fixed in 2026.3.4≥ 2026.4.0, < 2026.4.4+1 more2026-06-25
CVE-2026-57533 [LOW] CWE-80 CVE-2026-57533: Malicious HTML content could be injected into the page pretix shows when redirection to an untruste Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes.
nvd
Pretix vulnerabilities | cvebase