Security release 2026.5.2 of pretix and multiple plugins

We have become aware of security issues in pretix due to external reports and internal discoveries. We therefore just released versions 2026.5.2, 2026.4.4, and 2026.3.4 of pretix as well as updates for multiple plugins that fix these problems. It is strongly recommended that you update your installation as soon as possible.

If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

We want to address the recent increase in our security release frequency. This trend is driven by the widespread adoption of AI-assisted tools, which researchers are using to scan pretix (and all other open source software) for vulnerabilities. This does not mean that pretix or its development process is less secure than a few years ago, it mostly means there is a higher rate of detection. In the end, this is one of the strong assets of pretix being open source: Many eyes are on the project and any mistakes will likely be spotted at some point, even if we didn't spot them. We believe the level of detail inherent to almost all of these issues and the lack of any critical issues even with all these additional eyes on the project is a confirmation of our strong security posture and strong processes to quickly fix any issues that are found.

#1: Stored XSS in PDF layout editor [HIGH]

CVE ID: CVE-2026-57532

Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering and editing libraries used, this is one of the few pages in our backend that do not have a strong Content-Security-Policy that would render this capability useless for most scenarios.

Severity rating: Since the XSS occurs on a page with no Content-Security-Policy, we assess the severity as high.

Affected versions: All currently supported versions (except the fixed versions listed below) are affected.

This issue has been discovered internally.

#2: Reflected XSS in redirection page [LOW]

CVE ID: CVE-2026-57533

Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes.

Severity rating: Since the XSS occurs on a page with a strong Content-Security-Policy, we assess the severity as low.

Affected versions: All currently supported versions (except the fixed versions listed below) are affected.

This issue has been reported to us by Haxset.

#3: SSRF through HTML injection in PDF rendering [LOW]

CVE ID: CVE-2026-57535

Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server and possibly creating an SSRF vector in the local network.

Severity rating: Since only valid images are rendered, it's hard to create a scenario where this causes actual damage. Therefore, we assess the severity as low.

Affected versions: All currently supported versions (except the fixed versions listed below) are affected.

Compatibility note: The fix for this issue could change the rendering of some PDF documents, such as invoices, that previously relied on HTML tags being rendered. This was never documented or intended behavior, though.

This issue has been reported to us by Rokkam Vamshi.

#4: Stored XSS in ticket confirmation page [MEDIUM]

CVE ID: CVE-2026-13225

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.

Severity rating: Since the XSS occurs on a page with a Content-Security-Policy that might be weakened by tracking plugins, we assess the severity as medium.

Affected versions: All currently supported versions (except the fixed versions listed below) are affected.

This issue has been discovered internally.

#5: Stored XSS in pretix-pages [LOW]

CVE ID: CVE-2026-57534

Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.

Severity rating: Since the XSS occurs on a page with a strong Content-Security-Policy, we assess the severity as low.

Affected versions: All currently supported versions of the plugin (except the fixed versions listed below) are affected

This issue has been discovered internally.

#6: Insufficient validation of payment status in pretix-mollie [MEDIUM]

CVE ID: CVE-2026-57536

Our payment integration with Mollie did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

Severity rating: Since no data exposure is at risk and large-scale exploitation is likely to be noticed, we assess the severity as medium.

Affected versions: All currently supported versions (except the fixed versions listed below) are affected.

This issue has been discovered internally.

#7: Insufficient validation of payment status in pretix-oppwa [MEDIUM]

CVE ID: CVE-2026-13222

Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

Severity rating: Since no data exposure is at risk and large-scale exploitation is likely to be noticed, we assess the severity as medium.

Affected versions: All currently supported versions (except the fixed versions listed below) are affected.

This issue has been reported to us by Deepjyoti Roy.

#8: Insufficient validation of payment status in pretix-computop [MEDIUM]

CVE ID: CVE-2026-13223

Our payment integration with Computop-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

Severity rating: Since no data exposure is at risk and large-scale exploitation is likely to be noticed, we assess the severity as medium.

Affected versions: All currently supported versions (except the fixed versions listed below) are affected.

This issue has been reported to us by Deepjyoti Roy.

#9: Stored XSS in pretix-digital [LOW]

CVE ID: CVE-2026-13314

Malicious HTML content could be injected into the content rendered by the pretix-digital plugin.

Severity rating: Since the XSS occurs on a page with a strong Content-Security-Policy, we assess the severity as low.

Affected versions: All currently supported versions of the plugin (except the fixed versions listed below) are affected

This issue has been discovered internally.

Plugin API change

The API contract of the checkout_confirm_messages signal was changed. When returning HTML, you are now expected to return a SafeString instead of a plain str. This prevents further potential XSS vectors.

Deprecation of pretix-modirum

The plugin pretix-modirum is also affected by the logic issues found in Oppwa, Mollie, and Computop. As it seems unused and defunct, we have archived it and consider it unmaintained. Still, we released an untested version 1.1.2 with the fix as a final release.

Fixed versions

We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 2026.3, please upgrade to a recent version now.

• 2026.5.2
• 2026.4.4
• 2026.3.4

We have also published these fixed plugin versions:

• pretix-pages 1.6.4
• pretix-mollie 2.5.6
• pretix-oppwa 1.4.3
• pretix-computop 1.3.2
• pretix-digital 1.6.5 (Enterprise plugin)

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.