NIXPKGS-2026-0008

published on

Permalink CVE-2025-14881

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse ignored package pretix-banktool 4 months, 2 weeks ago
@LeSuisse deleted maintainer @mweinelt 4 months, 2 weeks ago maintainer.delete
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse published on GitHub 4 months, 2 weeks ago

Insecure direct object reference

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

References

https://pretix.eu/about/en/blog/20251218-release-2025-10-1/ vendor-advisory

Affected products

pretix

<2025.8.0
<2025.10.0
<2025.9.0
<2025.11.0

Matching in nixpkgs

pkgs.pretix

Ticketing software that cares about your event—all the way

nixos-unstable 2025.9.0
- nixpkgs-unstable 2025.9.0
- nixos-unstable-small 2025.9.0

Ignored packages (1)

pkgs.pretix-banktool

Automatic bank data upload tool for pretix (with FinTS client)

nixos-unstable 1.1.0
- nixpkgs-unstable 1.1.0
- nixos-unstable-small 1.1.0

Package maintainers

Ignored maintainers (1)

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>

https://github.com/NixOS/nixpkgs/pull/472420 (Unstable)
https://github.com/NixOS/nixpkgs/pull/472424 (25.11)