Security release 2025.9.2 of pretix and security advisory for pretix Hosted

During a penetration test, we have discovered two security issues inside pretix. We therefore just released versions 2025.9.2, 2025.8.2, and 2025.7.3 of pretix that fix this problem. It is strongly recommended that you update your installation as soon as possible, especially if you host pretix for third-party event organizers.

If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

#1: Limited HTML injection in emails [LOW]

CVE ID: CVE-2025-13742

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.

Severity rating: Since no data exfiltration or script injection is possible and this can only be exploited in very specific scenarios and to a very small degree, we consider the severity to be low.

Affected versions: All currently supported versions of pretix prior to 2025.9.1 (except the fixed versions listed below) are affected.

Update note: Fixing this vulnerability required changing the way emails are rendered. If you use plugins that provide additional placeholders with Markdown-formatted output or if you rely on using placeholders including mark, this update might break their output. We avoid breaking changes in security releases at all cost, but in this case it was unavoidable and we recommend testing your plugins with the new version.

This issue has been found by Jan Roring (binsec GmbH) during an external penetration test that we commissioned.

#2: Missing validation during password change [MEDIUM]

When changing the password of a backend account, pretix was not correctly validating the current password of the account. Specifically, the current password was accepted as correct, even if the field was left completely empty. This problem was introduced due to a change that happened after the 2025.9.0 release and was deployed on pretix Hosted between November 7 and 26.

A CVE ID was not assigned since no released version is affected.

Severity rating: This is a significant issue in our authentication stack that allows account compromise, however it can only be exploited if a user session was previously compromised. Since an attacker with a compromised session can already do almost all possible harm, this issue does not increase the overall risk much. In total, we assess the severity as medium.

Affected versions: No released versions of pretix are affected. Only development versions of pretix downloaded after 2025-11-07 (commit 1cb2d443f) are affected, up until commit 8f69cb166 (2025-11-26).

This issue has been found by Jan Roring (binsec GmbH) during an external penetration test that we commissioned.

Fixed versions

We just released updates for the last three stable versions on PyPI that fix problem #1. A fix for problem #2 is not required if you use a stable version of pretix. If you run a pretix installation older than 2025.7, please upgrade to a recent version now.

• 2025.9.2
• 2025.8.2
• 2025.7.3

Note: We initially released versions 2025.9.1, 2025.8.1 and 2025.7.2, which also fixed the issue, but at the same time introduced a regression with rendering URLs in emails.

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.