CVE-2026-57532

EUVD-2026-39425

25.06.2026, 15:16

Malicious HTML content contained in the layout specification of a PDF
ticket or badge layout was executed when the PDF editor is opened in the
browser. This could allow one backend user to inject JavaScript into
the browser context of another backend user. Due to requirements of the
PDF rendering and editing libraries used, this is one of the few pages
in our backend that do not have a strong Content-Security-Policy that
would render this capability useless for most scenarios.

Basic XSS

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
rami.io	CNA	8.8 HIGH	NETWORK	LOW	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
pretix	pretix	𝑥 < 2026.3.4	CNA
pretix	pretix	2026.4.0 ≤ 𝑥 < 2026.4.4	CNA
pretix	pretix	2026.5.0 ≤ 𝑥 < 2026.5.2	CNA

Common Weakness Enumeration

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

References

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/