PT-2026-8331 · Pretix · Pretix

Published

2026-02-16

·

Updated

2026-02-16

·

CVE-2026-2415

CVSS v4.0
7.5
VectorAV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red
Name of the Vulnerable Software and Affected Versions pretix (affected versions not specified)
Description The pretix software contains flaws in its email placeholder mechanism. This mechanism allows for the insertion of customer data into emails using placeholders. Two security issues were identified: first, specially crafted placeholder names, such as
{{event. init . code .co filename}}
, could be used to exfiltrate sensitive information about the pretix system, including database passwords and API keys. Existing preventative measures were ineffective for email subjects. Second, placeholders in email subjects and plain text bodies were evaluated twice, allowing for the rendering of buyer-controlled placeholders like
invoice company
, potentially broadening the attack surface and leaking order information. An attacker with control over email templates, typically a pretix backend user, could exploit these issues.
Recommendations Rotate all passwords and API keys contained in your pretix.cfg file.

Fix

Weakness Enumeration

Related Identifiers

CVE-2026-2415

Affected Products

Pretix