HTML Injection Vulnerability in PDF Rendering Engine by Pretix
CVE-2026-57535

2.1LOW

Key Information:

Vendor: Pretix
Status: Pretix
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-57535?

The vulnerability in Pretix's PDF rendering engine allows HTML content injection within rendered PDFs. Maliciously crafted PDFs can embed tags that, when rendered, fetch images from external URLs. This behavior risks leaking sensitive information about the hosting server and could potentially be exploited to execute server-side request forgery (SSRF) attacks within the organization's local network. Proper sanitization and validation measures are critical to mitigate risks associated with this vulnerability.

Affected Version(s)

pretix 0 < 2026.3.4

pretix 2026.4.0 < 2026.4.4

pretix 2026.5.0 < 2026.5.2

References

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

Credit

Rokkam Vamshi

CVE-2026-57535 Data

JSON