Description
Malicious HTML content could be injected into the email address of an
order, which pretix showed without sanitization on the confirmation page
for individual tickets in that order.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious attacker to embed arbitrary HTML or script content into the email address field of an order. Pretix stored this input unchanged on the ticket confirmation page for individual tickets, enabling a stored XSS attack. An attacker who can create or modify an order can insert JavaScript that runs in the browser of anyone who views the confirmation page, allowing session hijacking, credential theft, or defacement of the site.

Affected Systems

The affected product is pretix, an event‑ticketing platform. No specific version numbers are provided in the advisory, so any deployment of pretix that has not been updated past the release referenced in the vendor link is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, so the exploit probability is unknown. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is an attacker’s ability to submit a crafted order with a malicious email address; the exploitation requires a user to view the confirmation page resulting in script execution in that user’s browser. Because the vulnerability stores the payload, it can affect all users who later view the ticket confirmation page.

Generated by OpenCVE AI on June 25, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pretix to the latest release (for example, 2026‑5‑2) where the email field is properly sanitized.
  • If an immediate update is not possible, ensure that the email address input is validated to allow only standard email characters and escape all HTML entities before rendering them on any page.
  • Implement a content security policy that restricts inline scripts and disallows execution of unknown JavaScript on the confirmation page.

Generated by OpenCVE AI on June 25, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.
Title Stored XSS in ticket confirmation page
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T15:11:12.132Z

Reserved: 2026-06-24T16:14:10.932Z

Link: CVE-2026-13225

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T15:30:16Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)