Description
Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src
attribute of these images pointed to an URL, the PDF rendering engine
would download the image from that place and display it, thereby leaking
information about the rendering server and possibly creating an SSRF
vector in the local network.
Published: 2026-06-25
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject HTML content, specifically <img> tags, into PDF rendering contexts. When the PDF rendering engine processes the injected content, it resolves and downloads the image from the specified URL, thereby exposing internal server information and enabling Server Side Request Forgery (SSRF) against the local network. This issue is cataloged as CWE-80. The CVSS score of 2.1 indicates a low severity impact.

Affected Systems

The affected product is pretix, a component of the pretix e‑commerce platform. No specific version ranges are listed; users should verify whether their deployment includes the vulnerability as mentioned in the release notes.

Risk and Exploitability

The low CVSS score and lack of an EPSS value suggest that widespread exploitation is currently unlikely. The vulnerability requires that malicious content be processed by the PDF rendering engine, which is typically triggered by user‑supplied PDFs or reports. Because the issue is not listed in KEV and the CVSS score remains low, the overall risk is considered moderate, but the potential for SSRF makes it important to assess the exposure of the rendering service.

Generated by OpenCVE AI on June 25, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest pretix release that addresses external image loading in PDFs, as announced in the 2026.5.2 release notes.
  • Sanitize or filter all content injected into PDFs to remove <img> tags and other external references before rendering.
  • Configure the PDF rendering engine to block remote image fetches or enforce a no‑remote‑content policy.

Generated by OpenCVE AI on June 25, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix
Vendors & Products Pretix
Pretix pretix

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Image URL Retrieval via PDF Content Injection Leaks Server Info and Enables SSRF

Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server and possibly creating an SSRF vector in the local network.
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-25T15:10:48.584Z

Reserved: 2026-06-24T15:59:32.628Z

Link: CVE-2026-57535

cve-icon Vulnrichment

Updated: 2026-06-25T15:10:44.829Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:45:04Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)