VulnerableCode Package Details - pkg:pypi/pretix@4.18.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-5n41-d77m-hyae Aliases: CVE-2024-27447 GHSA-672r-97r7-vx2q PYSEC-2024-253	pretix before 2024.1.1 mishandles file validation.	2024.1.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-bwvg-dag1-euak Aliases: CVE-2025-13742 PYSEC-2025-154	Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.	2025.7.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-kccz-jzea-gqh2 Aliases: CVE-2023-44463 GHSA-j9gq-w73w-9h6c PYSEC-2023-187	An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.	2023.7.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-u5jv-2hhr-t7ej Aliases: CVE-2026-2415 GHSA-r8p8-qw9w-j9qv PYSEC-2026-110	Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for the email subject. * Placeholders in subjects and plain text bodies of emails were wrongfully evaluated twice. Therefore, if the first evaluation of a placeholder again contains a placeholder, this second placeholder was rendered. This allows the rendering of placeholders controlled by the ticket buyer, and therefore the exploitation of the first issue as a ticket buyer. Luckily, the only buyer-controlled placeholder available in pretix by default (that is not validated in a way that prevents the issue) is {invoice_company}, which is very unusual (but not impossible) to be contained in an email subject template. In addition to broadening the attack surface of the first issue, this could theoretically also leak information about an order to one of the attendees within that order. However, we also consider this scenario very unlikely under typical conditions. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.	2025.9.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2025.10.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2026.1.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ygfz-y22t-3yab Aliases: CVE-2024-8113 GHSA-45rp-q25w-4426 PYSEC-2024-180	Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.	2024.7.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-5n41-d77m-hyae
Aliases:
CVE-2024-27447
GHSA-672r-97r7-vx2q
PYSEC-2024-253

pretix before 2024.1.1 mishandles file validation.

2024.1.1
Affected by 3 other vulnerabilities.

VCID-bwvg-dag1-euak
Aliases:
CVE-2025-13742
PYSEC-2025-154

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.

2025.7.2
Affected by 1 other vulnerability.

VCID-kccz-jzea-gqh2
Aliases:
CVE-2023-44463
GHSA-j9gq-w73w-9h6c
PYSEC-2023-187

An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.

2023.7.1
Affected by 4 other vulnerabilities.

VCID-u5jv-2hhr-t7ej
Aliases:
CVE-2026-2415
GHSA-r8p8-qw9w-j9qv
PYSEC-2026-110

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for the email subject. * Placeholders in subjects and plain text bodies of emails were wrongfully evaluated twice. Therefore, if the first evaluation of a placeholder again contains a placeholder, this second placeholder was rendered. This allows the rendering of placeholders controlled by the ticket buyer, and therefore the exploitation of the first issue as a ticket buyer. Luckily, the only buyer-controlled placeholder available in pretix by default (that is not validated in a way that prevents the issue) is {invoice_company}, which is very unusual (but not impossible) to be contained in an email subject template. In addition to broadening the attack surface of the first issue, this could theoretically also leak information about an order to one of the attendees within that order. However, we also consider this scenario very unlikely under typical conditions. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.

2025.9.4
Affected by 1 other vulnerability.

2025.10.2
Affected by 2 other vulnerabilities.

2026.1.1
Affected by 1 other vulnerability.

VCID-ygfz-y22t-3yab
Aliases:
CVE-2024-8113
GHSA-45rp-q25w-4426
PYSEC-2024-180

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.

2024.7.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T09:47:24.884895+00:00	PyPI Importer	Affected by	VCID-u5jv-2hhr-t7ej	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:47:10.096448+00:00	PyPI Importer	Affected by	VCID-bwvg-dag1-euak	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:46:19.703659+00:00	PyPI Importer	Affected by	VCID-ygfz-y22t-3yab	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:45:58.325179+00:00	PyPI Importer	Affected by	VCID-5n41-d77m-hyae	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:45:20.096576+00:00	PyPI Importer	Affected by	VCID-kccz-jzea-gqh2	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-30T20:37:16.524050+00:00	Pypa Importer	Affected by	VCID-u5jv-2hhr-t7ej	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2026-110.yaml	38.6.0
2026-05-30T20:36:46.082997+00:00	Pypa Importer	Affected by	VCID-bwvg-dag1-euak	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2025-154.yaml	38.6.0
2026-05-30T20:34:58.196818+00:00	Pypa Importer	Affected by	VCID-ygfz-y22t-3yab	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2024-180.yaml	38.6.0
2026-05-30T20:34:10.295970+00:00	Pypa Importer	Affected by	VCID-5n41-d77m-hyae	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2024-253.yaml	38.6.0
2026-05-30T20:32:45.896039+00:00	Pypa Importer	Affected by	VCID-kccz-jzea-gqh2	https://github.com/pypa/advisory-database/blob/main/vulns/pretix/PYSEC-2023-187.yaml	38.6.0