XSS in Pretix

CVE-2026-13225

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.

Affected products

Pretix — versions 0, 2026.4.0, 2026.5.0

Weakness classification (CWE)

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

655498c3-6ec5-4f0b-aea6-853b334d05a6