Description
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.
Published: 2026-06-25
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Malicious HTML content could be injected into the content of a page in the pretix‑pages plugin. This content is stored and will be served to any user who accesses the page. The injection could lead to execution of JavaScript or other unintended behavior on the client side, potentially compromising confidentiality and integrity for users viewing the page.

Affected Systems

The vulnerability affects the pretix‑pages plugin for the Pretix event‑ticketing platform. No specific version numbers are listed in the CNA data, but the referenced blog post indicates that a new release (2026‑5‑2) has been issued around the time of the advisory.

Risk and Exploitability

The CVSS score of 2.1 represents a low severity finding, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated user with access to the page‑editing interface, who can inject arbitrary HTML content. Because no high‑impact exploitation path is described and the CVSS rating is low, the overall risk is limited but still relevant for any user who may view or interact with the affected pages.

Generated by OpenCVE AI on June 25, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pretix to version 2026‑5‑2 or later, which addresses the stored XSS flaw in the pretix‑pages plugin.
  • If an upgrade is not feasible immediately, restrict the page‑editing feature to trusted administrators and enforce strict input validation to strip out disallowed HTML tags and attributes.
  • Monitor scheduled pages for unexpected script tags or alterations, and remove any suspicious content promptly.

Generated by OpenCVE AI on June 25, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix-pages
Vendors & Products Pretix
Pretix pretix-pages

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.
Title Stored XSS in pretix-pages
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}


Subscriptions

Pretix Pretix-pages
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T15:12:42.755Z

Reserved: 2026-06-24T15:59:32.628Z

Link: CVE-2026-57534

cve-icon Vulnrichment

Updated: 2026-06-25T15:12:39.989Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:33Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)