CVE-2026-57533 | Malicious HTML content could be injected into the page preti… | CVSS 2.1 LOW

Description

Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes.

Metadata

CVE ID: CVE-2026-57533
State: PUBLISHED
Assigner: rami.io
Reserved: 2026-06-24 15:59 UTC
Published: 2026-06-25 14:31 UTC
Last updated: 2026-06-25 15:05 UTC
Primary CWE: CWE-80
CWE-80 Improper neutralization of Script-Related HTML tags i…
Vendor / Product: pretix / pretix
Sources: cve.org · NVD

Severity & Metrics

2.1 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
pretix	pretix	—	0 < 2026.3.4, 2026.4.0 < 2026.4.4, 2026.5.0 < 2026.5.2

Weakness (CWE)

CWE	Source	Description
CWE-80	cna	CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.1	LOW	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

References (1)

https://pretix.eu/about/en/blog/20260625-release-2026-5-2/