VYPR
Vendor

Pretix

Products
1
CVEs
13
Across products
13
Status
Private

Products

1

Recent CVEs

13
  • CVE-2026-5600MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.00

    A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same …

  • CVE-2026-9712LowMay 27, 2026
    risk 0.18cvss epss 0.00

    When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID…

  • CVE-2025-14882LowDec 19, 2025
    risk 0.18cvss epss 0.00

    An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

  • CVE-2025-14881LowDec 19, 2025
    risk 0.18cvss epss 0.00

    Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

  • CVE-2026-11764LowJun 9, 2026
    risk 0.16cvss epss 0.00

    When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift…

  • CVE-2026-2452Feb 16, 2026
    risk 0.00cvss epss 0.00

    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to…

  • CVE-2026-2451Feb 16, 2026
    risk 0.00cvss epss 0.00

    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to…

  • CVE-2026-2415Feb 16, 2026
    risk 0.00cvss epss 0.00

    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was…

  • CVE-2025-13742Nov 27, 2025
    risk 0.00cvss epss 0.00

    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this…

  • CVE-2024-8113Aug 23, 2024
    risk 0.00cvss epss 0.00

    Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation…

  • CVE-2024-27447Feb 26, 2024
    risk 0.00cvss epss 0.01

    pretix before 2024.1.1 mishandles file validation.

  • CVE-2023-44463Oct 2, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.

  • CVE-2023-44464Sep 29, 2023
    risk 0.00cvss epss 0.00

    pretix before 2023.7.2 allows Pillow to parse EPS files.