Pretix
Products
1- Pretix13 CVEspypi
Recent CVEs
13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-5600 | Med | 0.21 | 4.3 | 0.00 | Apr 8, 2026 | A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same … | ||
| CVE-2026-9712 | Low | 0.18 | — | 0.00 | May 27, 2026 | When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID… | ||
| CVE-2025-14882 | Low | 0.18 | — | 0.00 | Dec 19, 2025 | An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | ||
| CVE-2025-14881 | Low | 0.18 | — | 0.00 | Dec 19, 2025 | Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | ||
| CVE-2026-11764 | Low | 0.16 | — | 0.00 | Jun 9, 2026 | When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift… | ||
| CVE-2026-2452 | 0.00 | — | 0.00 | Feb 16, 2026 | Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to… | |||
| CVE-2026-2451 | 0.00 | — | 0.00 | Feb 16, 2026 | Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to… | |||
| CVE-2026-2415 | 0.00 | — | 0.00 | Feb 16, 2026 | Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was… | |||
| CVE-2025-13742 | 0.00 | — | 0.00 | Nov 27, 2025 | Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this… | |||
| CVE-2024-8113 | 0.00 | — | 0.00 | Aug 23, 2024 | Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation… | |||
| CVE-2024-27447 | 0.00 | — | 0.01 | Feb 26, 2024 | pretix before 2024.1.1 mishandles file validation. | |||
| CVE-2023-44463 | 0.00 | — | 0.01 | Oct 2, 2023 | An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application. | |||
| CVE-2023-44464 | 0.00 | — | 0.00 | Sep 29, 2023 | pretix before 2023.7.2 allows Pillow to parse EPS files. |
- risk 0.21cvss 4.3epss 0.00
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same …
- risk 0.18cvss —epss 0.00
When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID…
- risk 0.18cvss —epss 0.00
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
- risk 0.18cvss —epss 0.00
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
- risk 0.16cvss —epss 0.00
When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift…
- CVE-2026-2452Feb 16, 2026risk 0.00cvss —epss 0.00
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to…
- CVE-2026-2451Feb 16, 2026risk 0.00cvss —epss 0.00
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to…
- CVE-2026-2415Feb 16, 2026risk 0.00cvss —epss 0.00
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was…
- CVE-2025-13742Nov 27, 2025risk 0.00cvss —epss 0.00
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this…
- CVE-2024-8113Aug 23, 2024risk 0.00cvss —epss 0.00
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation…
- CVE-2024-27447Feb 26, 2024risk 0.00cvss —epss 0.01
pretix before 2024.1.1 mishandles file validation.
- CVE-2023-44463Oct 2, 2023risk 0.00cvss —epss 0.01
An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.
- CVE-2023-44464Sep 29, 2023risk 0.00cvss —epss 0.00
pretix before 2023.7.2 allows Pillow to parse EPS files.