Pretix Digital
Monthly
HTML injection in the pretix-digital Pretix ticketing plugin (CWE-80) allows high-privileged operators to embed malicious script-bearing HTML into event content that subsequently executes in the browsers of end users viewing rendered ticket or event pages. All versions of the plugin are indicated as affected per the CPE wildcard, with a vendor fix shipped in the 2026.5.2 release. No public exploit has been identified at time of analysis, the vulnerability is absent from the CISA KEV catalog, and the low CVSS 4.0 score of 2.0 reflects the high privilege and specific preconditions required for exploitation.
HTML injection in the pretix-digital Pretix ticketing plugin (CWE-80) allows high-privileged operators to embed malicious script-bearing HTML into event content that subsequently executes in the browsers of end users viewing rendered ticket or event pages. All versions of the plugin are indicated as affected per the CPE wildcard, with a vendor fix shipped in the 2026.5.2 release. No public exploit has been identified at time of analysis, the vulnerability is absent from the CISA KEV catalog, and the low CVSS 4.0 score of 2.0 reflects the high privilege and specific preconditions required for exploitation.