Insecure Payment Integration in Pretix Plugin for VR Payment and Hobex
CVE-2026-13603

9CRITICAL

Key Information:

Vendor

Pretix

Vendor
CVE Published:
1 July 2026

What is CVE-2026-13603?

The pretix-oppwa plugin has a vulnerability related to its payment integration capabilities, specifically with VR Payment and Hobex. It fails to securely manage URL parameters during the redirect process from payment providers. An attacker can manipulate the resourcePath parameter in the request, potentially allowing them to redirect API calls to an unauthorized server. This flaw could lead to the exposure of the access token, giving malicious actors unauthorized access to sensitive data within the payment provider’s systems. The issue has been resolved in the latest update, which enforces strict validation of the API URL to prevent such attacks. Users are advised to reset their access tokens after applying the patch.

Affected Version(s)

pretix-oppwa 0 < 1.4.4

References

CVSS V4

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.