NIXPKGS-2026-0008

published on 11 Jan 2026

CVE-2025-14881

updated 1 week, 4 days ago by @LeSuisse Activity log

Created automatic suggestion 1 week, 5 days ago
@LeSuisse removed package pretix-banktool 1 week, 5 days ago
@LeSuisse removed maintainer @mweinelt 1 week, 4 days ago
@LeSuisse accepted as draft 1 week, 4 days ago
@LeSuisse published on GitHub 1 week, 4 days ago

Insecure direct object reference

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

Affected products

pretix

<2025.9.0
<2025.10.0
<2025.11.0
<2025.8.0

Matching in nixpkgs

pkgs.pretix

Ticketing software that cares about your event—all the way

nixos-unstable 2025.9.0
- nixpkgs-unstable 2025.9.0
- nixos-unstable-small 2025.9.0
nixos-25.11 2025.9.0
- nixos-25.11-small 2025.9.0
- nixpkgs-25.11-darwin 2025.9.0
nixos-25.05 2025.4.0
- nixos-25.05-small 2025.4.0
- nixpkgs-25.05-darwin 2025.4.0

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0008

Affected products

Matching in nixpkgs

pkgs.pretix