CVE-2026-13225

EPSS -
Veröffentlicht 25.06.2026 14:26:31
Zuletzt bearbeitet 25.06.2026 16:16:33
Quelle 655498c3-6ec5-4f0b-aea6-853b33
CVE-Watchlists
Login
Unerledigt
Login

Stored XSS in ticket confirmation page

Malicious HTML content could be injected into the email address of an 
order, which pretix showed without sanitization on the confirmation page
 for individual tickets in that order.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerpretix

≫

Produkt pretix

Default Statusunaffected

Version 0

Version < 2026.3.4

Status affected

Version 2026.4.0

Version < 2026.4.4

Status affected

Version 2026.5.0

Version < 2026.5.2

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
655498c3-6ec5-4f0b-aea6-853b334d05a6	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/

https://nvd.nist.gov/vuln/detail/CVE-2026-13225

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-13225

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-13225

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-13225