CVE-2026-57532 PUBLISHED

Assigner: rami.io
Reserved: 24.06.2026 Published: 25.06.2026 Updated: 25.06.2026

Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering and editing libraries used, this is one of the few pages in our backend that do not have a strong Content-Security-Policy that would render this capability useless for most scenarios.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 8.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	High
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	pretix
Product	pretix
Versions	Default: unaffected affected from 0 to 2026.3.4 (excl.) affected from 2026.4.0 to 2026.4.4 (excl.) affected from 2026.5.0 to 2026.5.2 (excl.)

References

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/

Problem Types

CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) CWE

Impacts

CAPEC-592 Stored XSS