HTML Injection Vulnerability in Pretix E-commerce Platform
CVE-2026-13225

5.3MEDIUM

Key Information:

Vendor: Pretix
Status: Pretix
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-13225?

A vulnerability exists in the Pretix platform where malicious HTML content can be injected into the email field of an order. This content is then displayed unchecked on the order confirmation page for individual tickets, posing a risk to users through potential malicious exploitation. It is crucial for users to remain vigilant and ensure the application is updated to mitigate such vulnerabilities.

Affected Version(s)

pretix 0 < 2026.3.4

pretix 2026.4.0 < 2026.4.4

pretix 2026.5.0 < 2026.5.2

References

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

CVE-2026-13225 Data

JSON