8.8
CVE-2026-57532
- EPSS -
- Veröffentlicht 25.06.2026 14:32:37
- Zuletzt bearbeitet 25.06.2026 16:16:43
- Quelle 655498c3-6ec5-4f0b-aea6-853b33
- CVE-Watchlists
- Unerledigt
Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering and editing libraries used, this is one of the few pages in our backend that do not have a strong Content-Security-Policy that would render this capability useless for most scenarios.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerpretix
≫
Produkt
pretix
Default Statusunaffected
Version
0
Version <
2026.3.4
Status
affected
Version
2026.4.0
Version <
2026.4.4
Status
affected
Version
2026.5.0
Version <
2026.5.2
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 655498c3-6ec5-4f0b-aea6-853b334d05a6 | 8.8 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
https://pretix.eu/about/en/blog/20260625-release-2026-5-2/