CVE-2025-14882
EPSS 0.06%pretix has Broken Access Control Allowing Cross-User File Access via UUID
Published: 12/19/2025Modified: 12/20/2025
Description
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Affected packages (1)
- PyPI/pretix>= 2025.10.0, < 2025.10.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U |