A stored cross‑site scripting flaw exists in the pretix‑digital plugin, allowing an attacker to embed malicious HTML into content that is later rendered to users. If exploited, the injected script could execute in the context of the victim’s browser, potentially stealing session cookies, defacing content, or hijacking user interactions. The flaw is classified as CWE‑80 and carries a low CVSS score of 2, indicating limited impact if an attacker can inject content but no escalation of privileges or system compromise.

The vulnerability affects the pretix‑digital plugin released by pretix. Specific version ranges are not enumerated in the available data, so any instance of the plugin that has not been updated to the latest release is potentially affected.

The low CVSS score and lack of an EPSS value suggest that while exploitation is theoretically possible, the danger is limited to the scope of users who view the affected content. The attack vector is inferred to require the attacker to submit HTML content through the plugin’s input channels, typically handled by an administrator or staff member. No evidence indicates that this flaw is currently included in the CISA KEV catalog, and no widely documented exploits have been observed. Consequently, the overall risk is low, but the flaw remains open to use in phishing or social engineering campaigns against site visitors.