CVE-2026-13225

UNKNOWN 0.0

Stored XSS in ticket confirmation page

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.

CWE	CWE-80
Vendor	pretix
Product	pretix
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for pretix pretix

Be the first to know when new unknown vulnerabilities affecting pretix pretix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

pretix / pretix

0 < 2026.3.4 2026.4.0 < 2026.4.4 2026.5.0 < 2026.5.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

pretix.eu: https://pretix.eu/about/en/blog/20260625-release-2026-5-2/