Skip to main content

pretix-digital EUVDEUVD-2026-39412

| CVE-2026-13314 LOW
Basic XSS (CWE-80)
2026-06-25 rami.io GHSA-4p6m-xxpw-9r8j
2.0
CVSS 4.0 · Vendor: rami.io

Severity by source

Vendor (rami.io) PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.0 MEDIUM

PR:H reflects high-privilege operator requirement; AC:H maps the AT:P preconditions; S:C captures cross-browser XSS scope change; no availability impact applies to HTML injection.

3.1 AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (rami.io).

CVSS VectorVendor: rami.io

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 16:03 EUVD
Analysis Generated
Jun 25, 2026 - 15:17 vuln.today

DescriptionCVE.org

Malicious HTML content could be injected into the content rendered by the pretix-digital plugin.

AnalysisAI

HTML injection in the pretix-digital Pretix ticketing plugin (CWE-80) allows high-privileged operators to embed malicious script-bearing HTML into event content that subsequently executes in the browsers of end users viewing rendered ticket or event pages. All versions of the plugin are indicated as affected per the CPE wildcard, with a vendor fix shipped in the 2026.5.2 release. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker gains high-privilege Pretix operator access
Delivery
Injects malicious HTML into pretix-digital content field
Exploit
Victim user loads rendered event or ticket page
Execution
Injected HTML executes in victim browser context
Impact
Session tokens or user data exposed

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold high-privilege (PR:H) Pretix operator access with the ability to edit content rendered by the pretix-digital plugin - this categorically excludes unauthenticated or low-privileged external attackers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Pretix operator with plugin configuration access embeds a malicious HTML payload - such as an inline event handler or a script tag - into a digital ticket or event description field managed by the pretix-digital plugin. When a ticket purchaser or site visitor passively loads the affected event page, their browser interprets and executes the injected content, potentially exposing session tokens or allowing unauthorized in-browser actions on the victim's behalf. …
Remediation Upgrade the pretix-digital plugin to version 2026.5.2 or later as documented in the vendor release blog at https://pretix.eu/about/en/blog/20260625-release-2026-5-2/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy