NIXPKGS-2026-0008

published on

Permalink CVE-2025-14881

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 months ago
@LeSuisse removed package pretix-banktool 3 months ago
@LeSuisse removed maintainer @mweinelt 2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

Insecure direct object reference

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

References

https://pretix.eu/about/en/blog/20251218-release-2025-10-1/ vendor-advisory

Affected products

pretix

<2025.11.0
<2025.8.0
<2025.9.0
<2025.10.0

Matching in nixpkgs

pkgs.pretix

Ticketing software that cares about your event—all the way

nixos-unstable 2025.9.0
- nixpkgs-unstable 2025.9.0
- nixos-unstable-small 2025.9.0

Package maintainers

Ignored maintainers (1)

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>

https://github.com/NixOS/nixpkgs/pull/472420 (Unstable)
https://github.com/NixOS/nixpkgs/pull/472424 (25.11)

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0008

References

Affected products

Matching in nixpkgs

pkgs.pretix

Package maintainers