PyPI package
pretix
pkg:pypi/pretix
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-5600 | Med | 4.3 | >= 2026.3.0, < 2026.3.1 | 2026.3.1 | Apr 8, 2026 | A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same org | |
| CVE-2026-2415 | — | >= 2026.1.0, < 2026.1.1 | 2026.1.1 | Feb 16, 2026 | Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was po | ||
| CVE-2025-14882 | Low | — | >= 2025.10.0, < 2025.10.1 | 2025.10.1 | Dec 19, 2025 | An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | |
| CVE-2025-14881 | Low | — | >= 2025.10.0, < 2025.10.1 | 2025.10.1 | Dec 19, 2025 | Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | |
| CVE-2024-8113 | — | < 2024.7.1 | 2024.7.1 | Aug 23, 2024 | Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unli | ||
| CVE-2024-27447 | — | < 2024.1.1 | 2024.1.1 | Feb 26, 2024 | pretix before 2024.1.1 mishandles file validation. | ||
| CVE-2023-44463 | — | < 2023.7.1 | 2023.7.1 | Oct 2, 2023 | An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application. | ||
| CVE-2023-44464 | — | < 2023.7.2 | 2023.7.2 | Sep 29, 2023 | pretix before 2023.7.2 allows Pillow to parse EPS files. | ||
| CVE-2023-27891 | — | >= 4.17.0, < 4.17.1 | 4.17.1 | Mar 6, 2023 | rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1. |
- affected >= 2026.3.0, < 2026.3.1fixed 2026.3.1
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same org
- CVE-2026-2415Feb 16, 2026affected >= 2026.1.0, < 2026.1.1fixed 2026.1.1
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was po
- affected >= 2025.10.0, < 2025.10.1fixed 2025.10.1
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
- affected >= 2025.10.0, < 2025.10.1fixed 2025.10.1
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
- CVE-2024-8113Aug 23, 2024affected < 2024.7.1fixed 2024.7.1
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unli
- CVE-2024-27447Feb 26, 2024affected < 2024.1.1fixed 2024.1.1
pretix before 2024.1.1 mishandles file validation.
- CVE-2023-44463Oct 2, 2023affected < 2023.7.1fixed 2023.7.1
An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.
- CVE-2023-44464Sep 29, 2023affected < 2023.7.2fixed 2023.7.2
pretix before 2023.7.2 allows Pillow to parse EPS files.
- CVE-2023-27891Mar 6, 2023affected >= 4.17.0, < 4.17.1fixed 4.17.1
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.