{"timestamp":"2026-06-25T15:04:18.329787Z","id":"CVE-2026-57532","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

Malicious HTML content contained in the layout specification of a PDF 
ticket or badge layout was executed when the PDF editor is opened in the
 browser. This could allow one backend user to inject JavaScript into 
the browser context of another backend user. Due to requirements of the 
PDF rendering and editing libraries used, this is one of the few pages 
in our backend that do not have a strong Content-Security-Policy that 
would render this capability useless for most scenarios.

AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-80

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/

[{"vendor":"pretix","product":"pretix","defaultStatus":"unaffected","collectionURL":"https://pypi.python.org","packageName":"pretix","repo":"https://github.com/pretix/pretix","versions":[{"version":"0","lessThan":"2026.3.4","versionType":"python","status":"affected"},{"version":"2026.4.0","lessThan":"2026.4.4","versionType":"python","status":"affected"},{"version":"2026.5.0","lessThan":"2026.5.2","versionType":"python","status":"affected"}]}]