Skip to main content

Pretix CVE-2026-57532

| EUVDEUVD-2026-39425 HIGH
Basic XSS (CWE-80)
2026-06-25 rami.io GHSA-4jgq-8mwg-w9q9
8.8
CVSS 4.0 · Vendor: rami.io
Share

Severity by source

Vendor (rami.io) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Authenticated backend user injects stored XSS (PR:L), victim must open the editor (UI:R), and execution in another user's browser context crosses a trust boundary (S:C) with high confidentiality/integrity but no direct availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (rami.io).

CVSS VectorVendor: rami.io

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 16:03 EUVD
Analysis Generated
Jun 25, 2026 - 15:16 vuln.today
CVE Published
Jun 25, 2026 - 14:32 cve.org
HIGH 8.8

DescriptionCVE.org

Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering and editing libraries used, this is one of the few pages in our backend that do not have a strong Content-Security-Policy that would render this capability useless for most scenarios.

AnalysisAI

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as backend user with layout edit rights
Delivery
Embed malicious HTML/JS in PDF layout spec
Exploit
Save and wait for victim to open PDF editor
Execution
CSP-free editor page renders payload
Persist
Script executes in victim's backend session
Impact
Perform actions or steal session as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold an authenticated Pretix backend account with permission to create or edit PDF ticket/badge layouts (PR:H), and requires a second backend user to subsequently open the malicious layout in the in-browser PDF editor (UI:P / AT:P). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H, score 8.8) reflects a network-reachable but privilege-gated and interaction-dependent attack: the injector must already be an authenticated backend user (PR:H), a victim must open the malicious layout in the PDF editor (UI:P), and additional attack conditions apply (AT:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised backend user with layout-editing rights crafts a PDF ticket or badge layout containing HTML with an embedded JavaScript payload and saves it. When another backend user (for example an administrator) later opens that layout in the browser-based PDF editor, the script executes in their authenticated session context, allowing the attacker to perform actions as the victim or steal session data. …
Remediation Vendor-released patch: upgrade Pretix to release 2026.5.2 (or later), per the vendor advisory at https://pretix.eu/about/en/blog/20260625-release-2026-5-2/, which is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all Pretix deployments in use, their current versions, and production status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Pretix

View all
CVE-2024-27447 CRITICAL
9.8 Feb 26

pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2023-44464 HIGH
7.8 Sep 29

pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen

CVE-2026-13602 HIGH
7.7 Jul 01

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin

CVE-2023-27891 HIGH
7.5 Mar 06

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS

CVE-2024-8113 HIGH
7.2 Aug 23

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag

CVE-2026-2451 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2452 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2415 MEDIUM
5.9 Feb 16

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information

CVE-2026-5600 MEDIUM
5.5 Apr 08

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organ

CVE-2026-13225 MEDIUM
5.3 Jun 25

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbit

CVE-2023-44463 MEDIUM
5.3 Oct 02

An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl

CVE-2026-11764 LOW
3.6 Jun 09

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift car

Share

CVE-2026-57532 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy