Description
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
References (1)
Core 1
Core References
Various Sources vendor-advisory
https://pretix.eu/about/en/blog/20251218-release-2025-10-1/
Scores
CVSS v4
3.8
EPSS
0.0023
EPSS Percentile
13.1%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
pretix/pretix-offlinesales
1.12.0 - 1.12.1
pypi/pretix
2025.10.0 - 2025.10.1PyPI
Published
Dec 19, 2025
Tracked Since
Feb 18, 2026