HTML Injection Vulnerability in PDF Editing Tool from Pretix
CVE-2026-57532

8.8HIGH

Key Information:

Vendor: Pretix
Status: Pretix
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-57532?

A vulnerability in the PDF editing tool from Pretix allows malicious HTML content to be executed when the PDF editor is accessed in a browser. This issue arises because the layout specifications for PDF tickets or badges can include harmful HTML, permitting one backend user to inject JavaScript code into another backend user's browser context. The weakness is compounded by the lack of a robust Content-Security-Policy in this specific area of the Pretix backend, making it easier for such an attack to succeed. Users are urged to be vigilant and follow best security practices to mitigate risks associated with this vulnerability.

Affected Version(s)

pretix 0 < 2026.3.4

pretix 2026.4.0 < 2026.4.4

pretix 2026.5.0 < 2026.5.2

References

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

CVE-2026-57532 Data

JSON