Vulnerabilities in pretix
24 resultsCVE-2026-13225MEDIUMStored XSS in ticket confirmation pageEPSS 0.3%CVE-2026-57534LOWStored XSS in pretix-pagesEPSS 0.3%CVE-2026-13314LOWStored XSS in pretix-digitalEPSS 0.3%CVE-2026-57532HIGHMalicious HTML content contained in the layout specification of a PDF
ticket or badge layout was executed when the PDF editor is opened in EPSS 0.3%CVE-2026-57535LOWContent injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src
attribute of these EPSS 0.3%CVE-2024-8113HIGHStored XSS in Placeholder Samples in Mail PreviewEPSS 0.3%CVE-2026-2452HIGHUnsafe variable evaluation in email templatesEPSS 0.3%CVE-2026-2451HIGHUnsafe variable evaluation in email templatesEPSS 0.3%CVE-2026-57536MEDIUMInsufficient validation of payment status in pretix-mollieEPSS 0.3%CVE-2026-13223MEDIUMInsufficient validation of payment status in pretix-computopEPSS 0.3%CVE-2026-13222MEDIUMInsufficient validation of payment status in pretix-oppwaEPSS 0.3%CVE-2026-5600MEDIUMA new API endpoint introduced in pretix 2025 that is supposed to
return all check-in events of a specific event in fact returns all
check-EPSS 0.3%CVE-2026-57533LOWMalicious HTML content could be injected into the page pretix shows when
redirection to an untrusted page occurs. Since this page has a
CoEPSS 0.2%CVE-2026-4982HIGHUnauthorized access to chat contentsEPSS 0.2%CVE-2026-5599HIGHAPI allows deletion of users of other instanceEPSS 0.2%CVE-2026-2415HIGHUnsafe variable evaluation in email templatesEPSS 0.2%CVE-2026-11764LOWData exposed without proper permissionEPSS 0.2%CVE-2025-14882LOWInsecure direct object referenceEPSS 0.2%CVE-2026-12863MEDIUMOpen redirectEPSS 0.2%CVE-2025-14881LOWInsecure direct object referenceEPSS 0.2%