CVE Catalog

CVE-2026-13225

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Summary

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.

Risk Assessment

An attacker could exploit this vulnerability to perform a cross-site scripting (XSS) attack, potentially leading to session theft or display of fraudulent content.

Recommendation

Update pretix to the latest version that includes a fix for the missing input sanitization in the email address field.

Original NVD description (English source)

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS