Impact
The vulnerability allows an attacker to inject HTML content, specifically <img> tags, into PDF rendering contexts. When the PDF rendering engine processes the injected content, it resolves and downloads the image from the specified URL, thereby exposing internal server information and enabling Server Side Request Forgery (SSRF) against the local network. This issue is cataloged as CWE-80. The CVSS score of 2.1 indicates a low severity impact.
Affected Systems
The affected product is pretix, a component of the pretix e‑commerce platform. No specific version ranges are listed; users should verify whether their deployment includes the vulnerability as mentioned in the release notes.
Risk and Exploitability
The low CVSS score and lack of an EPSS value suggest that widespread exploitation is currently unlikely. The vulnerability requires that malicious content be processed by the PDF rendering engine, which is typically triggered by user‑supplied PDFs or reports. Because the issue is not listed in KEV and the CVSS score remains low, the overall risk is considered moderate, but the potential for SSRF makes it important to assess the exposure of the rendering service.
OpenCVE Enrichment