Impact
A malicious HTML fragment embedded in the layout specification of a PDF ticket or badge can execute when the PDF editor is opened in a browser, enabling a backend user to inject JavaScript that runs in the context of another backend user. This cross‑site scripting flaw allows the attacker to read or modify data, perform actions as the victim user, or hijack the visitor’s session, with the severity reflected by a CVSS score of 8.8. The weakness is identified as CWE‑80.
Affected Systems
The vulnerability affects all installations of Pretix. No specific product version is listed in the CNA data, so every pre‑2026‑5‑2 release of Pretix is potentially impacted until patched.
Risk and Exploitability
The flaw requires a legitimate backend role that can create or alter PDF layouts and access the PDF editor page. Because most pages in the backend lack a strong Content‑Security‑Policy, the JavaScript can run without restriction. The EPSS value is unavailable and the vulnerability is not in the CISA KEV catalog, yet the high CVSS score indicates significant risk if exploited. An attacker can create a malicious layout, distribute it or enable the PDF editor for a target user to trigger the XSS.
OpenCVE Enrichment