CVE-2026-13603: The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, f
The payment integration pretix-oppwa provides support
for the payment providers VR Payment, Hobex, and potentially others
based on Oppwa's technology. The integration of Oppwa, following their
official documentation, includes a step where the user is redirected
from the payment provider back to our system with a query parameter like
?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.
Our plugin pretix-oppwa did so insecurely by
concatenating the parameter form the URL to the base domain of the API
without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different
server instead. Since the request includes the access token (API key)
of the Oppwa account, this would leak the access token, giving access to
data contained in the payment provider's system. This is fixed with the
release today by strictly validating the given API URL.
After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-13603
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-136030.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 17% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-13603 | coverage & exploitation status | NVD · CVE.org |
More from NVD Recent CVEs
- mediumCVE-2026-15475: A weakness has been identified in MiniTool Partition Wizard up to 13.6. The affected element i…2026-07-12
- mediumCVE-2026-15474: A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an un…2026-07-12
- mediumCVE-2026-15473: A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects som…2026-07-12
- mediumCVE-2026-15472: A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability aff…2026-07-12
- mediumCVE-2026-15471: A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown par…2026-07-12