{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4982", "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "state": "PUBLISHED", "assignerShortName": "rami.io", "dateReserved": "2026-03-27T12:15:15.436Z", "datePublished": "2026-03-27T12:32:41.164Z", "dateUpdated": "2026-03-27T19:39:20.014Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "shortName": "rami.io", "dateUpdated": "2026-03-27T12:32:41.164Z"}, "title": "Unauthorized access to chat contents", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper input validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "affected": [{"vendor": "pretix", "product": "Venueless", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2026.3.27.e20083a", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\n\nThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.<br><br>The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."}]}], "references": [{"url": "https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Pratik Karan", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4982", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:23:52.214430Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:39:20.014Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4982", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:23:52.214430Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:30:32.864Z"}}], "cna": {"title": "Unauthorized access to chat contents", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pratik Karan"}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "pretix", "product": "Venueless", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2026.3.27.e20083a", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\n\nThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.", "supportingMedia": [{"type": "text/html", "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.<br><br>The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper input validation"}]}], "providerMetadata": {"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "shortName": "rami.io", "dateUpdated": "2026-03-27T12:32:41.164Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4982", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:39:20.014Z", "dateReserved": "2026-03-27T12:15:15.436Z", "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "datePublished": "2026-03-27T12:32:41.164Z", "assignerShortName": "rami.io"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A user with permission \"update world\" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature.\n\nThe exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages."}], "id": "CVE-2026-4982", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "type": "Secondary"}]}, "published": "2026-03-27T13:16:25.297", "references": [{"source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "url": "https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp"}], "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.0.0,2026.3.27.e20083a)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Venueless", "source": "cna", "vendor": "pretix"}, "product": "venueless", "vendor": "pretix"}], "analysis": {"en": {"generated_at": "2026-03-27T15:59:10.157863+00:00", "value": {"mitigation_remediation": ["Apply the latest Venueless patch that addresses the reporting bug", "Review user permissions and remove the update world privilege from individuals who do not require it", "If a patch is not yet available, limit access to the reporting feature or restrict the update world permission until a fix is deployed"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to chat messages resulting in a confidentiality breach"}, "threat_synthesis": {"affected_systems": "All installations of Pretix Venueless where the update world permission is granted to a user. No specific version is listed, so any deployment that has not applied the published fix is potentially affected.", "description_and_impact": "A flaw in the reporting function of Venueless allows a user who holds the \"update world\" permission to read private conversations from other worlds on the same server. The bug permits extraction of both direct message and channel chat histories, enabling an insider to obtain sensitive information that should be confined to the original participants. The vulnerability is rooted in insufficient input validation when handling chat channel identifiers.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high severity. Exploitation requires a user to obtain the internal UUID of the target chat channel, which is unlikely to be exposed to external actors; therefore the risk is mainly from privileged users or compromised accounts. The EPSS score is not available and the vulnerability is not currently in the CISA KEV list, reducing the likelihood of widespread deployment. Nonetheless, the presence of a privilege escalation vector and the ability to read private conversation data makes it a significant threat for organizations relying on Venueless for secure event communication."}}}}, "created": "2026-03-27T20:28:54.673397+00:00", "updated": "2026-03-30T07:02:05.060784+00:00", "vendors": ["pretix", "pretix$PRODUCT$venueless"]}