Email Manipulation Vulnerability in Pretix Product by Pretix
CVE-2025-13742

2.4LOW

Key Information:

Vendor: Pretix
Status: Pretix
Vendor: CVE Published:; 27 November 2025

What is CVE-2025-13742?

The Pretix product exposes a vulnerability that allows malicious formatting of attendee names to be rendered as HTML in emails. This vulnerability can manipulate email content dynamically, leading users to perceive a higher level of credibility in malicious links or formatted texts. While XSS attacks are not feasible due to a strict allow list on HTML tags, this manipulation poses a risk for phishing attacks, where users may be lured into clicking deceptive links that appear trustworthy.

Affected Version(s)

pretix 1.0.0 < 2025.7.0

pretix 2025.7.0 < 2025.8.0

pretix 2025.8.0 < 2025.9.0

References

https://pretix.eu/about/en/blog/20251126-release-2025-9-1/

vendor-advisory

CVSS V4

Score:

2.4

Severity:

LOW

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2025
Vulnerability Reserved
Nov 26, 2025

Credit

Jan Roring (binsec GmbH)

JSON