Impact
Malicious HTML content could be injected into the content of a page in the pretix‑pages plugin. This content is stored and will be served to any user who accesses the page. The injection could lead to execution of JavaScript or other unintended behavior on the client side, potentially compromising confidentiality and integrity for users viewing the page.
Affected Systems
The vulnerability affects the pretix‑pages plugin for the Pretix event‑ticketing platform. No specific version numbers are listed in the CNA data, but the referenced blog post indicates that a new release (2026‑5‑2) has been issued around the time of the advisory.
Risk and Exploitability
The CVSS score of 2.1 represents a low severity finding, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated user with access to the page‑editing interface, who can inject arbitrary HTML content. Because no high‑impact exploitation path is described and the CVSS rating is low, the overall risk is limited but still relevant for any user who may view or interact with the affected pages.
OpenCVE Enrichment