Description
Malicious HTML content could be injected into the email address of an
order, which pretix showed without sanitization on the confirmation page
for individual tickets in that order.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious attacker to embed arbitrary HTML or script content into the email address field of an order. Pretix stored this input unchanged on the ticket confirmation page for individual tickets, enabling a stored XSS attack. An attacker who can create or modify an order can insert JavaScript that runs in the browser of anyone who views the confirmation page, allowing session hijacking, credential theft, or defacement of the site.

Affected Systems

The affected product is pretix, an event‑ticketing platform. No specific version numbers are provided in the advisory, so any deployment of pretix that has not been updated past the release referenced in the vendor link is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, so the exploit probability is unknown. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is an attacker’s ability to submit a crafted order with a malicious email address; the exploitation requires a user to view the confirmation page resulting in script execution in that user’s browser. Because the vulnerability stores the payload, it can affect all users who later view the ticket confirmation page.

Generated by OpenCVE AI on June 25, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pretix to the latest release (for example, 2026‑5‑2) where the email field is properly sanitized.
  • If an immediate update is not possible, ensure that the email address input is validated to allow only standard email characters and escape all HTML entities before rendering them on any page.
  • Implement a content security policy that restricts inline scripts and disallows execution of unknown JavaScript on the confirmation page.

Generated by OpenCVE AI on June 25, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix
Vendors & Products Pretix
Pretix pretix

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.
Title Stored XSS in ticket confirmation page
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T15:11:12.132Z

Reserved: 2026-06-24T16:14:10.932Z

Link: CVE-2026-13225

cve-icon Vulnrichment

Updated: 2026-06-25T15:11:09.272Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:45:04Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)