CVE-2025-13742

Name of the Vulnerable Software and Affected Versions pretix (affected versions not specified)

Description The software allows the use of placeholders in email templates that are populated with customer data, such as the attendee's name. If a customer's name contains HTML or Markdown formatting, this formatting is rendered in the final email. While a strict allow list approach prevents cross-site scripting (XSS) or similar attacks, this can be exploited to manipulate emails, potentially enabling phishing attacks by making user-provided content appear trustworthy. The issue involves the rendering of potentially malicious formatting within the name placeholder when constructing emails.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.