2.1

CVE-2026-57535

Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src
 attribute of these images pointed to an URL, the PDF rendering engine 
would download the image from that place and display it, thereby leaking
 information about the rendering server and possibly creating an SSRF 
vector in the local network.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerpretix
Produkt pretix
Default Statusunaffected
Version 0
Version < 2026.3.4
Status affected
Version 2026.4.0
Version < 2026.4.4
Status affected
Version 2026.5.0
Version < 2026.5.2
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
655498c3-6ec5-4f0b-aea6-853b334d05a6 2.1 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/