pretix
PyPI10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting pretixpage 1 of 1
- CVE-2023-27891HIGHCVSS 7.5EG 7.5✓ Fixed in 4.17.12023-03-06
vulnerable: 1.0.0 ... 4.9.1 (112 versions)
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.
- CVE-2023-44463MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2023.7.12023-10-02
vulnerable: 1.0.0 ... 4.9.1 (126 versions)
An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoo…
- CVE-2023-44464HIGHCVSS 7.8EG 7.8✓ Fixed in 2023.7.22023-09-29
vulnerable: 1.0.0 ... 4.9.1 (127 versions)
pretix before 2023.7.2 allows Pillow to parse EPS files.
- CVE-2024-27447CRITICALCVSS 9.8EG 9.8✓ Fixed in 2024.1.12024-02-26
vulnerable: 1.0.0 ... 4.9.1 (136 versions)
pretix before 2024.1.1 mishandles file validation.
- CVE-2024-8113MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2024.7.12024-08-23
vulnerable: 1.0.0 ... 4.9.1 (145 versions)
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-p…
- CVE-2025-13742MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2025.7.22025-11-27
vulnerable: 1.0.0 ... 4.9.1 (156 versions)
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contai…
- CVE-2025-14881LOWCVSS 3.8EG 0.0✓ Fixed in 2025.8.32025-12-19
vulnerable: 1.0.0 ... 4.9.1 (163 versions)
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
- CVE-2025-14882LOWCVSS 3.8EG 0.0✓ Fixed in 2025.8.32025-12-19
vulnerable: 1.0.0 ... 4.9.1 (163 versions)
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
- CVE-2026-2415MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2026.1.12026-02-16
vulnerable: 2026.1.0
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two se…
- CVE-2026-5600MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2026.3.12026-04-08
vulnerable: 2025.10.0 ... 2026.3.0 (7 versions)
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information…
Check whether pretix is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for pretix CVEs against the assets you own.
Start Free Scan →