336 matches found
CVE-2026-5600
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
CVE-2025-48570
In multiple functions of PipTaskOrganizer.java, there is a possible way to launch an activity from the background due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48570
In multiple functions of PipTaskOrganizer.java, there is a possible way to launch an activity from the background due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
PYSEC-2026-108
pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields which includes an...
Cross-site Scripting (XSS)
Overview pretalx is a Conference organisation: CfPs, scheduling, much more Affected versions of this package are vulnerable to Cross-site Scripting XSS in the organizer search. An attacker can execute arbitrary JavaScript code in the context of an organizer's browser by injecting malicious payloa...
[SECURITY] Fedora 44 Update: shotwell-33~alpha-9.fc44
Shotwell is an easy-to-use, fast photo organizer designed for the GNOME desktop. It allows you to import photos from your camera or disk, organize them by date and subject matter, even ratings. It also offers basic photo editing, like crop, red-eye correction, color adjustments, and straighten...
[SECURITY] Fedora 44 Update: gthumb-3.12.10-7.fc44
gthumb is an application for viewing, editing, and organizing collections of images...
PT-2026-31952
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description Vikunja, a self-hosted task management platform, has an issue where the CalDAV output generator doesn't properly escape characters in iCalendar VTODO entries. Specifically, user-controlled task title...
EUVD-2026-20463
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
pretix: API leaks check-in data between events of the same organizer
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
GHSA-WR8Q-C73G-M7GP pretix: API leaks check-in data between events of the same organizer
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
PYSEC-2026-111
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
CVE-2026-5600
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
PYSEC-2026-111
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
Improper Isolation or Compartmentalization
Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the check-in events endpoint. An attacker can access sensitive information related to all check-in events under the same organizer,...
CVE-2026-5600
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
CVE-2026-5600
CVE-2026-5600 involves a new API endpoint in pretix (2025 release) that should return check-in events for a specific event but instead exposes all check-in events under the organizer. The affected component is the API handling check-in data; the root cause is an endpoint mis-scoping that leaks re...
CVE-2026-5600
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
CVE-2026-5600
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...
pretix 安全漏洞
Pretix is a ticketing system developed by the German company Pretix. The pretix 2025 version contains a security vulnerability. This vulnerability stems from the API endpoint returning information about all organizers’ sign-in events. As a result, API users may access event information that shoul...