Impact
Malicious HTML content can be injected into the page pretix displays when a redirection to an untrusted page occurs. Because the page has a Content‑Security‑Policy, the primary use is to create phishing pages that appear legitimate. The vulnerability is classified as a CWE‑80 Content Injection flaw, which could lead to spoofed user interactions without granting attackers full system access.
Affected Systems
Affected systems are installations of the pretix event ticketing platform. No specific version numbers are enumerated in the advisory. The release announcement linked in the advisory (pretix 2026.5.2) is the most recent public version that presumably contains the fix.
Risk and Exploitability
The CVSS base score of 2.1 indicates a low‑severity flaw. No EPSS score is provided, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be an external entity that can force a user to click a link that triggers a redirect to an untrusted URL, allowing the attacker to inject arbitrary HTML. Since the payload is limited by the CSP, the risk is primarily phishing rather than code execution.
OpenCVE Enrichment