VulnerableCode Package Details - pkg:pypi/pretix@3.14.2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:pypi/pretix@3.14.2

Essentials
History (10)

purl	pkg:pypi/pretix@3.14.2

Next non-vulnerable version	2023.7.2
Latest non-vulnerable version	2026.3.1
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-5n41-d77m-hyae Aliases: CVE-2024-27447 GHSA-672r-97r7-vx2q PYSEC-2024-253	pretix before 2024.1.1 mishandles file validation.	2024.1.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-bwvg-dag1-euak Aliases: CVE-2025-13742 PYSEC-2025-154	Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.	2025.7.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-kccz-jzea-gqh2 Aliases: CVE-2023-44463 GHSA-j9gq-w73w-9h6c PYSEC-2023-187	An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.	2023.7.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ygfz-y22t-3yab Aliases: CVE-2024-8113 GHSA-45rp-q25w-4426 PYSEC-2024-180	Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.	2024.7.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-z1sg-2u88-pyaq Aliases: CVE-2023-27891 GHSA-r76w-3wwq-jv6v PYSEC-2023-42	rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.	4.15.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.16.1 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.17.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T09:47:10.015680+00:00	PyPI Importer	Affected by	VCID-bwvg-dag1-euak	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:46:19.626271+00:00	PyPI Importer	Affected by	VCID-ygfz-y22t-3yab	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:45:58.247922+00:00	PyPI Importer	Affected by	VCID-5n41-d77m-hyae	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:45:20.019646+00:00	PyPI Importer	Affected by	VCID-kccz-jzea-gqh2	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:44:45.035792+00:00	PyPI Importer	Affected by	VCID-z1sg-2u88-pyaq	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-30T20:36:45.917508+00:00	Pypa Importer	Affected by	VCID-bwvg-dag1-euak	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2025-154.yaml	38.6.0
2026-05-30T20:34:58.030518+00:00	Pypa Importer	Affected by	VCID-ygfz-y22t-3yab	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2024-180.yaml	38.6.0
2026-05-30T20:34:10.134709+00:00	Pypa Importer	Affected by	VCID-5n41-d77m-hyae	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2024-253.yaml	38.6.0
2026-05-30T20:32:45.718836+00:00	Pypa Importer	Affected by	VCID-kccz-jzea-gqh2	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2023-187.yaml	38.6.0
2026-05-30T20:31:30.378442+00:00	Pypa Importer	Affected by	VCID-z1sg-2u88-pyaq	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2023-42.yaml	38.6.0