NIXPKGS-2026-0008

published on 11 Jan 2026

Permalink CVE-2025-14881

updated 1 month, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 1 week ago
@LeSuisse removed package pretix-banktool 1 month, 1 week ago
@LeSuisse removed maintainer @mweinelt 1 month, 1 week ago
@LeSuisse accepted 1 month, 1 week ago
@LeSuisse published on GitHub 1 month, 1 week ago

Insecure direct object reference

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

Affected products

pretix

<2025.9.0
<2025.8.0
<2025.10.0
<2025.11.0

Matching in nixpkgs

pkgs.pretix

Ticketing software that cares about your event—all the way

nixos-unstable 2025.9.0
- nixpkgs-unstable 2025.9.0
- nixos-unstable-small 2025.9.0

Package maintainers

Ignored maintainers (1)

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>

https://github.com/NixOS/nixpkgs/pull/472420 (Unstable)
https://github.com/NixOS/nixpkgs/pull/472424 (25.11)

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0008

Affected products

Matching in nixpkgs

pkgs.pretix

Package maintainers