CVE-2026-13222

Summary

Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

Affected Software

VendorProductVersion RangeStatus
pretixpretix-oppwa0 < 1.4.3affected

Weaknesses

  • CWE-841: CWE-841 Improper enforcement of behavioral workflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References