Description
Malicious HTML content could be injected into the page pretix shows when
redirection to an untrusted page occurs. Since this page has a
Content-Security-Policy, this can mainly be used for phishing purposes.
Published: 2026-06-25
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Malicious HTML content can be injected into the page pretix displays when a redirection to an untrusted page occurs. Because the page has a Content‑Security‑Policy, the primary use is to create phishing pages that appear legitimate. The vulnerability is classified as a CWE‑80 Content Injection flaw, which could lead to spoofed user interactions without granting attackers full system access.

Affected Systems

Affected systems are installations of the pretix event ticketing platform. No specific version numbers are enumerated in the advisory. The release announcement linked in the advisory (pretix 2026.5.2) is the most recent public version that presumably contains the fix.

Risk and Exploitability

The CVSS base score of 2.1 indicates a low‑severity flaw. No EPSS score is provided, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be an external entity that can force a user to click a link that triggers a redirect to an untrusted URL, allowing the attacker to inject arbitrary HTML. Since the payload is limited by the CSP, the risk is primarily phishing rather than code execution.

Generated by OpenCVE AI on June 25, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest pretix release (≥2026.5.2) which removes the uncontrolled redirect vulnerability.
  • Verify that CSP headers are correctly configured and that extraneous redirects are not allowed to untrusted domains.
  • If an upgrade is not immediately possible, restrict or remove the ability to redirect to external URLs until the issue is resolved.

Generated by OpenCVE AI on June 25, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix
Vendors & Products Pretix
Pretix pretix

Thu, 25 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Phishing via Uncontrolled HTML Injection on Redirected Pages

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes.
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T15:05:14.046Z

Reserved: 2026-06-24T15:59:32.628Z

Link: CVE-2026-57533

cve-icon Vulnrichment

Updated: 2026-06-25T15:05:10.743Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:45:04Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)