CVE-2026-2452
- EPSS 0.04%
- Veröffentlicht 16.02.2026 10:16:22
- Zuletzt bearbeitet 02.03.2026 20:24:35
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-releva...
CVE-2026-2415
- EPSS 0.05%
- Veröffentlicht 16.02.2026 10:15:09
- Zuletzt bearbeitet 18.02.2026 17:52:22
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-rele...
CVE-2025-14881
- EPSS 0.06%
- Veröffentlicht 19.12.2025 12:24:10
- Zuletzt bearbeitet 19.12.2025 18:00:18
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
CVE-2025-13742
- EPSS 0.04%
- Veröffentlicht 27.11.2025 11:15:47
- Zuletzt bearbeitet 30.12.2025 15:38:38
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or...
CVE-2024-8113
- EPSS 0.15%
- Veröffentlicht 23.08.2024 15:15:17
- Zuletzt bearbeitet 12.09.2024 18:21:30
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scr...
CVE-2024-27447
- EPSS 0.2%
- Veröffentlicht 26.02.2024 16:28:00
- Zuletzt bearbeitet 11.06.2025 12:53:35
pretix before 2024.1.1 mishandles file validation.